How do I find the client key?

Michael H. Warfield mhw at wittsend.com
Mon Jun 3 10:52:41 EST 2002 

On Mon, Jun 03, 2002 at 01:11:45AM +0200, Peter Stuge wrote:
> On Sun, Jun 02, 2002 at 05:39:47PM -0400, Michael H. Warfield wrote:
> > 	On server "S" I can find the client IP (IPv6) address in the
> > SSH_CLIENT environment variable.  I also need the client public key.
> > On the client side, the public key ends up added to .ssh/known_hosts
> > but what happens on the server side?  I need to retrieve this key
> > to validate the entry of a host name against a table of hosts which
> > have previously contacted me (on possibly other IP addresses) so I
> > can reject requests for names from keys which have changed.  I'm
> > trying to deal with some dynamic address problems.

> Try to set it up so that you already have the public key and use that for
> authorization?  That way you won't have to worry about addresses.

> Keys identify hosts, not IP(v*) addresses.  And public keys are just that,
> public.  Even if it feels a bit awkward, you're really supposed to
> distribute your public key as much as possible.

	Ok...  I guess I need to explain myself a little better.
This is my point.  This is where I'm trying to get to.  I'm trying
to set up a "Site Local" service for managing IPv6 DNS.  I want a
system to connect in on a "Site Local" (fce0::/48) address (and ONLY
a SITE LOCAL address, Link Local and Global Scope prohibited) and allow
him to enter his host name.  I crack the SLA and EUI out of the site
local address and confirm his "name" (simple host name) against a
table of known host names I have stored.  If he enters a name and
I have that name with a different key, I want to send him to a system
administrator.  If I don't have that name, or if the name matches the
key, I want to dynamically update the IPv6 global domain (I already
have the TLA/NLA for that) and the Site local domain and the ip6.int
reverse domain based on the synthesized global address.  The key is
the correlation between an entered name and that public key.  As
long as I know that name and key, I can accept those updates.  Since
the EUI is connected to the MAC address changes will be mostly moving
between subnets (change in SLA - think laptops) or replacement of the
ethernet card (change in EUI - hmmm - also think laptops).

> If you can't distribute keys in advance I guess you're out of luck, but then
> the system won't be quite as secure either..

	It's not a security issue other than trying to correlate collisions
in namespace for an IPv6 zone.  It's strictly a management thing.  I want
people to be able to register IPv6 systems and be able to tell them
"I have that name registered and you don't have the key, so go talk to
somebody" and reduce the chances of some ta-da-ta-da clobbering someone
else's registration.  As they say...  Da key is da key.  That's why
I want to get to the key independent of the IP(v6) address he's
connecting from.

	I might even take it one step further and add that key to the
DNS itself in a key resource record, but I'm abivalent about if I want
to go down that road.  I also realize I have to deal with dsa/rsa/rsa1
ambiguities.  Ok, he registered with a DSA key and now wants to update
with an RSA key key.  Now what do I do.  Answer...  Punt.  Punt means talk
to a sysadmin.  If that only happens 1 out of 100 times, that's 99 times
the sysadmin doesn't have to worry about screwing with the IPv6 DNS.
That's all I'm caring about right now.  Setting up a semi-automated
DNS updater for IPv6 to eliminate a lot of error prone manual entry.

	Oh...  The way it's set up now, I can also change the TLA/NLA
(change providers) and update the DNS with a single command (other
than setting up a new reverse zone - but there's no way around that).
The routers will handle the renumbering of the hosts.  DNS is still the
ugly part.

> Just some .02..


> //Peter
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

More information about the openssh-unix-dev mailing list