Public storage for public keys

Markus Friedl markus at openbsd.org
Mon Jan 14 19:41:34 EST 2002


how can you trust ldap? or dns?

On Mon, Jan 14, 2002 at 12:51:39AM +0300, Michael Tokarev wrote:
> This question should be asked before, but I fail to find
> the discussion.
> 
> What options can be used for storing host/users pubkeys in
> a publically available places?  I know openssh currently
> provide option except if /etc/ssh_known_hosts and ~/.ssh/known_hosts.
> But what about many machines?
> 
> Think of e.g. pgp keyservers.  Note that pgp keyservers isn't
> a good solution *always*.  The best one IMHO will be to use
> a mechanism similar to name service switch (as found on solaris
> and now on linux/glibc, and on other systems as well).  Sometimes,
> even this nsswitch mechanism can be used directly, by extending
> it for ssh needs (while nss api is known).  There will be private
> module for ~/.ssh/known_hosts, `files' module for /etc/ssh_known_hosts,
> nis, ldap, db etc.  Especially useful here is ldap, as it has more
> and more usages/deployments and was designed to store such kind
> of information.  Even DNS can be used here (trusted, i.e. local,
> ofcourse)!
> 
> Can something like this be done?  (No, I don't ask to implement
> such a mechanism, but about possibilities of an "idea")?
> 
> Regards,
>  Michael.
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list