Re: OpenSSH contract development / patch

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, May 3, 2017 at 6:01 PM, Damien Miller <djm@xxxxxxxxxxx> wrote:
>
>
> On Wed, 3 May 2017, Stephen Harris wrote:
>
>> On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote:
>> > Hi Devin, have you looked at using openssh certificates to help manage
>> [...]
>> > While the feature has been around for a while now (and is really
>> > useful), there doesn't seem to be huge amount of documentation around
>> > it. I found the following useful when getting a client of my running
>>
>> Yeah, when I wrote about it last year I didn't find many clients
>> (just the openssh client) understood it:
>>   https://www.sweharris.org/post/2016-10-30-ssh-certs/
>
> Nice guide. You might want to mention hostname canonicalisation[1] in
> relation to host certs, it keeps things happy when users specify
> unqualified hostnames.
>
>> How many clients do work with CA signed keys?
>
> The Go x/crypto/ssh package supports OpenSSH certificates and offers
> a callback that's pretty easy to hook up with them.

and how

> I don't know whether anybody is using it for that though.

we use the go stuff to write certs to to an ssh-agent process, so it's
still just an openssh client that's using the resulting cert/key

the terminal emulation stuff scares me more than writing/maintaining
an ssh ca, so I've never really tried to write a full openssh client
replacement.

> I do know of some of certified host keys in the wild with only OpenSSH
> as the client.
>
> -d
>
> [1] http://blog.djm.net.au/2014/01/hostname-canonicalisation-in-openssh.html
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux