[Bug 3001] New: enable sending OpenPGP-formed certificates for ssh hosts
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed May 1 01:58:31 AEST 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=3001
Bug ID: 3001
Summary: enable sending OpenPGP-formed certificates for ssh
hosts
Product: Portable OpenSSH
Version: 8.0p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: dkg at fifthhorseman.net
This is a feature request for in-band transmission of OpenPGP
certificates for OpenSSH hosts.
I propose adding a new HostKeyAlgorithm
`openpgp-ed25519-cert at monkeysphere.info`, which transmits that same
public key material, wrapped in OpenPGP key material to the client.
The first step of the implementation would just be server-side: if the
client states a preference for that algorithm, and sshd knows of a
`HostKey` named `$FOO` that contains an ed25519 secretkey, and
`$FOO.pgp` exists, then `sshd` should just send the content of
`$FOO.pgp` over the wire, while working with the secret key found in
`$FOO`.
This permits the host to send in-band OpenPGP-style certificates,
without `sshd` needing to know anything about the format.
The second step toward making this useful in an
OpenSSH-on-both-endpoints ecosystem would be client-side, something
like the `KnownHostsCommand` request from bug 1777; i'll defer that
discussion over there.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list