Re: [RFC] Preferentially TOFU certificate authorities rather than host keys

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 16 Oct 2024, Damien Miller wrote:

> On Mon, 14 Oct 2024, Matthew Garrett wrote:
> 
> > There's currently no way to express trust for an SSH certificate CA other
> > than by manually adding it to known_hosts. This patch modifies the automatic
> > key write-out behaviour on user verification to associate the hostname with
> > the CA rather than the host key, allowing environments making use of
> > certificates to update (potentially compromised) host keys without needing
> > to modify client configuration or force users to update their known_hosts.
> 
> Thanks - this is an intriging idea. I'll need to consider it a bit;
> TOFU of CA trust anchors is not a common pattern and both the UI and
> the general ramifications need to be thought through.

[...]

> TOFU of CA trust anchors could help here, but we already have a graceful
> key rotation mechanism that is at least partially enabled by default.
> It isn't as effective as I'd like to be because of a number of corner
> cases that have yet to be filed smooth. See client_input_hostkeys() in
> clientloop.c for the whole mess.

Thinking about this some more: we'd definitely want the existing key
rotation support to be applicable to TOFU'd CA trust anchors, otherwise
they could be a step backwards in some important ways, or at least
inconsistent with how plain keys are handled.

Unfortunately one of the existing rough edges here is CA trust anchor
support in known_hosts, so that would need to be addressed early.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux