@cert-authority for hostbased auth - sans shosts?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

we're looking to reduce the number of host lists that
need to be kept in sync in our system. (There are quite a few of them all over the place)

OpenSSH CAs are an obvious solution for not having to
keep all host keys in sync in /etc/ssh/known_hosts, however,
while OpenSSH does support using a CA in conjunction with hostbased authentication, it still requires a list of all authorized host names in the rhosts / shosts file.

That does make sense, as known_hosts is of course primarily for, well, knowing host keys, and doesn't say anything about trusting them for hostbased authentication, so for hostbased using a @cert-authority here is functionally the same as just listing all issued public keys
directly.

While that's an improvement over having to keep both authorized_keys and shosts
up to date, but as the whole point of a CA mechanism is to delegate trust,
shosts seems a bit redundant in this case. It seems to me like there's a missing piece here, something like an /etc/ssh/authorized_keys, which would allow you to write
something in the spirit of

cert-authority,hosts="*.mycluster.foo.bar" ssh-...

which would then permit hostbased authentication for hosts with a valid certificate
matching the hostname pattern without passing further shosts checks.

Cheers,
Marian

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux