client host certificates and receiving host configuration

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

I'm working on a small server written in Go to add short-lived user
certificates to the forwarded agents of authorized users.

    https://github.com/rorycl/sshagentca

This seems to work quite well for accessing sshd servers with the
appropriately configured "TrustedUserCAKeys" directive.

I have been in a debate about how similarly adding host certificates to
forwarded agents could help mitigate man-in-the-middle attacks. This has
raised a few questions.

Firstly, given a host CA signing key on the sshagentca server, would an
appropriately constructed host certificate added to a forwarded agent
replace the necessity for a '@cert-authority' line in a user's known_hosts
file?

Secondly, would there be any alteration to the requirement for a
"HostCertificate" CA-signed public key (from a private "HostKey") on
sshd receiving servers?

Many thanks
Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux