Public storage for public keys

[David Terrell]

On Mon, Jan 14, 2002 at 12:51:39AM +0300, Michael Tokarev wrote:
> This question should be asked before, but I fail to find
> the discussion.
> 
> What options can be used for storing host/users pubkeys in
> a publically available places?  I know openssh currently
> provide option except if /etc/ssh_known_hosts and ~/.ssh/known_hosts.
> But what about many machines?
> 
> Think of e.g. pgp keyservers.  Note that pgp keyservers isn't
> a good solution *always*.  The best one IMHO will be to use
> a mechanism similar to name service switch (as found on solaris
> and now on linux/glibc, and on other systems as well).  Sometimes,
> even this nsswitch mechanism can be used directly, by extending
> it for ssh needs (while nss api is known).  There will be private
> module for ~/.ssh/known_hosts, `files' module for /etc/ssh_known_hosts,
> nis, ldap, db etc.  Especially useful here is ldap, as it has more
> and more usages/deployments and was designed to store such kind
> of information.  Even DNS can be used here (trusted, i.e. local,
> ofcourse)!

There was a spec to use DNS KEY records written for the secsh wg
at one point, but that draft was withdrawn and there is some serious
opposition to using DNS KEY records for application keys within
DNSEXT.  That debate has not yet been resolved.

You could use LDAP.  SSH is kind of a maverick as far as using OS
provided resources for this kind of thing, though.  I'm not at all
interested in reinventing, say, NIS+.  Or even kerberos.

-- 
David Terrell            | "the only part about medicinal marijuana that 
Prime Minister, Nebcorp  | bothers me is that, when I started chemo, all of 
dbt at meat.net             | my children and grandchildren told me they could 
http://wwn.nebcorp.com/  | get some for me if I needed it." -mrw's grandfather