Re: HashKnownHosts vs @cert-authority

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 12/12/2016 09:09 AM, Damien Miller wrote:
> On Fri, 9 Dec 2016, Harald Dunkel wrote:
> 
>> Hi folks,
>>
>> maybe I am too blind to see, but would it be possible to
>> avoid extra entries in known_hosts, if the remote host
>> has a signed public key matching a @cert-authority line?
>> Something like
>>
>> 	Host *
>> 		HashKnownHosts unsigned
>>
>> This could help to keep the known_hosts file small and
>> yet get all the unsigned public keys in.
> 
> Certificates aren't added to known_hosts when the CA is trusted,
> so this is pretty much already the behaviour.
> 
> -d
> 

I'm not talking about the signed certificates, but the host keys.
Sample session:

% cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr root@xxxxxxxxxxxxxx
@cert-authority *.hosting.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf root@xxxxxxxxxxxxxxxxxxxxxxxxx
% ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts.ca dpcl064 echo "hello, world"
Warning: Permanently added 'dpcl064' (RSA) to the list of known hosts.
hello, world
% 551} cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr root@xxxxxxxxxxxxxx
@cert-authority *.hosting.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf root@xxxxxxxxxxxxxxxxxxxxxxxxx
|1|enWm+4uvYU/G0qgjuYP0TpxIk3M=|MpKwoY+HIrUJbcR4vrNH1xYxWT4= ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...I2bbm6C52Uga3TBWQ7F+xG0Wd5k1I+KMJnJ


Regards
Harri

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux