Public storage for public keys
Michael Tokarev
mjt at tls.msk.ru
Tue Jan 15 07:25:45 EST 2002
Frank Cusack wrote:
>
> On Mon, Jan 14, 2002 at 12:51:39AM +0300, Michael Tokarev wrote:
> > What options can be used for storing host/users pubkeys in
> > a publically available places? I know openssh currently
> > provide option except if /etc/ssh_known_hosts and ~/.ssh/known_hosts.
> > But what about many machines?
> >
> [...]
> >
> > Can something like this be done? (No, I don't ask to implement
> > such a mechanism, but about possibilities of an "idea")?
>
> There is a significant trust problem. You can't store pubkeys in
> places that are untrustworthy, like DNS, LDAP, unless you sign the keys.
> Which introduces a bunch of other problems.
Can you trust LDAP when doing auth requests to it, using e.g. pam_ldap?
Well, this is somewhat different, since pam_ldap usually runs as root
and have access to more information than available to a regular user.
As was already pointed out, with ldap, there are other ways of secure
communication are available -- e.g. via TLS. The same is for DNS.
There are another, rather common, situations exists also -- imagine a
trusted local area network with a common database server in it (be
it e.g. nis server), and another network -- an ssh connection target.
There is another issue with current ssh behaviour as well -- right the
opposite one. For example, in our network there are several servers
where I have shell accounts (actually, I'm an administrator of the
whole network!). I once connected from one of those servers to a
target machine, ssh asked me if I want to connect to a host that can't
be verified -- that's fine. Now I tries to connect to the same host
from another our machine -- the same question. When from another --
again. Well, after several such question about *the same* target
host, my attention is lost. Next time ssh will ask this question,
I'll think "aha, I wasn't connected to this host from this machine
yet, and "stupid" ssh can't figure out that other our machines
already knows this host. Oh well, so hit "y<cr>" and don't worry
about that anymore, it's enouth already!". Now think about man-in-
the-middle at *this* point.
Well yes, I know, there are other ways exists to distribute "global"
(in a lan sense) /etc/ssh_known_hosts file. But I need to do this
manually each time I'll connect to a new target host.
But the question was in fact somewhat different. It wasn't about
security and how secure various sources are, but about a *possibility*
to use something like nss for pubkeys storage. Every installation
or site will decide what is usable/acceptable/secure/whatether in
their sense (after all, nfs-mounted homedir with ~/.ssh/ssh_known_hosts
(no, I don't tell here about ~/.ssh/identify w/o password!) can't be
"secure" either!). There ARE secure methods esists and used already
for other means.
Regards,
Michael.
More information about the openssh-unix-dev
mailing list