PKI host based principal

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello,

Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong.

For example, I have multiple hosts that all serves as monitoring
server, I would like to trust only these hosts, so I enrol a
certificate for these using "monitoring" principal, so I can connect
only to these.

At first I thought we can do Match statement at ssh_config, however,
the Match is being evaluated before connection, so remove principal
name is not available at this stage.

>From what I do understand the known_hosts format enables CA key and
DNS mask of matched hosts.

There is no way to match against the certificate principal name.

I thought about something like:

@cert-authority
*.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY>

If the above cannot be done, do you think it will be helpful?

BTW: It would also be handy to allow specify CA key within separate
file, something like the following:

@cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub

Regards,
Alon Bar-Lev.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux