Re: prompt to update a host key

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 15/03/19, Nico Kadel-Garcia (nkadel@xxxxxxxxx) wrote:

> On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists@xxxxxxxxxx> wrote:
> > On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote:
> > And that's when you look at using certificate based host keys.
> 
> And it fails miserably as soon as any of the intervening firewalls
> block ICMP, such as, say, the security group settings for an AWS
> deployed virtual host. You need to check with port 22 on TCP, not ICMP
> packets. This sort of thing is also why a casually assembled "doodz,
> just do this thing!!!" breaks down in the larger world.

Hi Nico

Referencing back to the OP's question:

> > On 14/03/19, Jeremy Lin (jeremy.lin@xxxxxxxxx) wrote:
> > > As far as I can tell, there currently isn't a straightforward way to
> > > use password authentication for connecting to hosts where the host key
> > > changes frequently.

Is there an issue with using certificate based host keys, as Jochen
suggests, that means they can't easily be used for auto-generated
instances?

According to the RedHat docs: "To authenticate a host to a user, a
public key must be generated on the host, passed to the CA server,
signed by the CA, and then passed back to be stored on the host to
present to a user attempting to log into the host."
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-signing_ssh_certificates

The process of picking up the auto-generated host file
ssh_host_rsa_key.pub to the CA machine, signing the host file, copying
the resulting certificate back to the host, adding the line
"HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub" or alternative in
the host /etc/ssh/sshd_config file and restarting sshd can all be
automated.

If all users have received the CA public host key and have added it with
the requisite @cert-authority preamble to their ~/.ssh/known_hosts file,
the host warning Jeremy was complaining about would not occur.

Or am I missing something obvious?

Thanks
Rory






_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux