Re: PKI host based principal

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Feb 23, 2015 at 7:35 PM, Damien Miller <djm@xxxxxxxxxxx> wrote:
>
> On Sun, 22 Feb 2015, Alon Bar-Lev wrote:
>
> > Hello,
> >
> > Maybe I did not understand correctly the PKI trust, so forgive me if I
> > am wrong.
> >
> > For example, I have multiple hosts that all serves as monitoring
> > server, I would like to trust only these hosts, so I enrol a
> > certificate for these using "monitoring" principal, so I can connect
> > only to these.
> >
> > At first I thought we can do Match statement at ssh_config, however,
> > the Match is being evaluated before connection, so remove principal
> > name is not available at this stage.
> >
> > From what I do understand the known_hosts format enables CA key and
> > DNS mask of matched hosts.
> >
> > There is no way to match against the certificate principal name.
> >
> > I thought about something like:
> >
> > @cert-authority
> > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY>
>
> I don't think I wasnt to add more indirection to known_hosts; the file
> is already a mess of tangled, overlapping features and I'm terrified to
> add more :/
>
> Someone sent me a patch to allow certificate hostname principal matching
> against HostkeyAlias if matching against the exact hostname failed.
> This  might be an alternative way for you to achieve what you want.
> What do you think?

yes, I found this patch after I posted this :)
it would be a solution.

>
> > If the above cannot be done, do you think it will be helpful?
> >
> > BTW: It would also be handy to allow specify CA key within separate
> > file, something like the following:
> >
> > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub
>
> I'm not sure it's worth the extra complexity in known_hosts parsing,
> given that it's already possible to specify multiple user/system
> known_hosts files.
>
> E.g. you could do:
>
> UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_mydomain
>
> with the latter listing the CA keys.

I am thinking of avoiding specify the ca key over and over within the file.

I mean, instead of having one large selection of valid principal
enable principal per line, while simplify the ca key.

Another issue is that unlike the sshd_config which can point to a
file, I cannot have static configuration for the ssh client side
because I must generate the known_hosts based on the CA key that I
receive during setup.

Not critical, for this I have a solution.

Thanks!
Alon
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux