Re: HashKnownHosts vs @cert-authority

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On Dec 12, 2016 4:17 AM, "Harald Dunkel" <harald.dunkel@xxxxxxxxx> wrote:

On 12/12/2016 09:09 AM, Damien Miller wrote:
> On Fri, 9 Dec 2016, Harald Dunkel wrote:
>
>> Hi folks,
>>
>> maybe I am too blind to see, but would it be possible to
>> avoid extra entries in known_hosts, if the remote host
>> has a signed public key matching a @cert-authority line?
>> Something like
>>
>>      Host *
>>              HashKnownHosts unsigned
>>
>> This could help to keep the known_hosts file small and
>> yet get all the unsigned public keys in.
>
> Certificates aren't added to known_hosts when the CA is trusted,
> so this is pretty much already the behaviour.
>
> -d
>

I'm not talking about the signed certificates, but the host keys.
Sample session:

% cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr
root@xxxxxxxxxxxxxx
@cert-authority *.hosting.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf
root@xxxxxxxxxxxxxxxxxxxxxxxxx
% ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts.ca dpcl064 echo
"hello, world"
Warning: Permanently added 'dpcl064'


Your cert is good for *.hosting.example.com but you're connecting to
dpcl064. unless your ssh_config is doing some canonicalization, your client
won't accept the host cert presented since the host name doesn't match the
principals listed in the ca.


(RSA) to the list of known hosts.
hello, world
% 551} cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr
root@xxxxxxxxxxxxxx
@cert-authority *.hosting.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf
root@xxxxxxxxxxxxxxxxxxxxxxxxx
|1|enWm+4uvYU/G0qgjuYP0TpxIk3M=|MpKwoY+HIrUJbcR4vrNH1xYxWT4= ssh-rsa
AAAAB3NzaC1yc2EAAAADAQAB...I2bbm6C52Uga3TBWQ7F+xG0Wd5k1I+KMJnJ


Regards
Harri

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux