Re: OpenSSH contract development / patch

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 




On Wed, 3 May 2017, Stephen Harris wrote:

> On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote:
> > Hi Devin, have you looked at using openssh certificates to help manage
> [...]
> > While the feature has been around for a while now (and is really
> > useful), there doesn't seem to be huge amount of documentation around
> > it. I found the following useful when getting a client of my running
> 
> Yeah, when I wrote about it last year I didn't find many clients
> (just the openssh client) understood it:
>   https://www.sweharris.org/post/2016-10-30-ssh-certs/

Nice guide. You might want to mention hostname canonicalisation[1] in
relation to host certs, it keeps things happy when users specify
unqualified hostnames.

> How many clients do work with CA signed keys?

The Go x/crypto/ssh package supports OpenSSH certificates and offers
a callback that's pretty easy to hook up with them. I don't know whether
anybody is using it for that though.

I do know of some of certified host keys in the wild with only OpenSSH
as the client.

-d

[1] http://blog.djm.net.au/2014/01/hostname-canonicalisation-in-openssh.html
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux