Public storage for public keys

Michael Tokarev mjt at tls.msk.ru
Mon Jan 14 08:51:39 EST 2002


This question should be asked before, but I fail to find
the discussion.

What options can be used for storing host/users pubkeys in
a publically available places?  I know openssh currently
provide option except if /etc/ssh_known_hosts and ~/.ssh/known_hosts.
But what about many machines?

Think of e.g. pgp keyservers.  Note that pgp keyservers isn't
a good solution *always*.  The best one IMHO will be to use
a mechanism similar to name service switch (as found on solaris
and now on linux/glibc, and on other systems as well).  Sometimes,
even this nsswitch mechanism can be used directly, by extending
it for ssh needs (while nss api is known).  There will be private
module for ~/.ssh/known_hosts, `files' module for /etc/ssh_known_hosts,
nis, ldap, db etc.  Especially useful here is ldap, as it has more
and more usages/deployments and was designed to store such kind
of information.  Even DNS can be used here (trusted, i.e. local,
ofcourse)!

Can something like this be done?  (No, I don't ask to implement
such a mechanism, but about possibilities of an "idea")?

Regards,
 Michael.



More information about the openssh-unix-dev mailing list