On 15/03/19, Nico Kadel-Garcia (nkadel@xxxxxxxxx) wrote: > On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists@xxxxxxxxxx> wrote: > > On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote: > > And that's when you look at using certificate based host keys. > > And it fails miserably as soon as any of the intervening firewalls > block ICMP, such as, say, the security group settings for an AWS > deployed virtual host. You need to check with port 22 on TCP, not ICMP > packets. This sort of thing is also why a casually assembled "doodz, > just do this thing!!!" breaks down in the larger world. Hi Nico Referencing back to the OP's question: > > On 14/03/19, Jeremy Lin (jeremy.lin@xxxxxxxxx) wrote: > > > As far as I can tell, there currently isn't a straightforward way to > > > use password authentication for connecting to hosts where the host key > > > changes frequently. Is there an issue with using certificate based host keys, as Jochen suggests, that means they can't easily be used for auto-generated instances? According to the RedHat docs: "To authenticate a host to a user, a public key must be generated on the host, passed to the CA server, signed by the CA, and then passed back to be stored on the host to present to a user attempting to log into the host." https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-signing_ssh_certificates The process of picking up the auto-generated host file ssh_host_rsa_key.pub to the CA machine, signing the host file, copying the resulting certificate back to the host, adding the line "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub" or alternative in the host /etc/ssh/sshd_config file and restarting sshd can all be automated. If all users have received the CA public host key and have added it with the requisite @cert-authority preamble to their ~/.ssh/known_hosts file, the host warning Jeremy was complaining about would not occur. Or am I missing something obvious? Thanks Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev