On Tue, 16 Jun 2020, Rory Campbell-Lange wrote: > I'm working on a small server written in Go to add short-lived user > certificates to the forwarded agents of authorized users. > > https://github.com/rorycl/sshagentca > > This seems to work quite well for accessing sshd servers with the > appropriately configured "TrustedUserCAKeys" directive. > > I have been in a debate about how similarly adding host certificates to > forwarded agents could help mitigate man-in-the-middle attacks. This has > raised a few questions. > > Firstly, given a host CA signing key on the sshagentca server, would an > appropriately constructed host certificate added to a forwarded agent > replace the necessity for a '@cert-authority' line in a user's known_hosts > file? I'm not sure I want to add yet another path (the agent) to ssh's already twisty host key verification logic. However, a few people have requsted a KnownHostsCommand option that allows the output of a subprocess to be used in addition to the usual known_hosts. Would this work for you? > Secondly, would there be any alteration to the requirement for a > "HostCertificate" CA-signed public key (from a private "HostKey") on > sshd receiving servers? I don't understand what you mean here. Could you elabourate? -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
