Hostbased authentication and certificates

Iain Morgan imorgan at
Tue Apr 20 10:00:20 EST 2010


Based on some experimentation with 5.4p1 and a cursory examination of
the source code, it doesn't look like hostbased authentication takes
advantage of certificates other than to authenticate the server. Is that

In cluster environments, hostbased authentication is still useful but
the size of the ssh_known_hosts file can become unwieldy in large
clusters. As an example, a few months back a colleague mentioned that in
some cases where the node being logged into was under a high load, the
login grace time had expired before the ssh_known_hosts file had been
fully parsed.

In cases where compute nodes use the same boot image and thus have the
same host keys, some reduction in the size of the ssh_known_hosts file
can be accomplished by using globbing. This assumes a regular naming
pattern for hosts, which is probably the case in a large cluster. An
appealing alternative would be to use host certificates with hostbased
authentication, but support for that does not seem to be present.

Are there any plans to add such support, or are there technical or
security reasons to not do so?


Iain Morgan

More information about the openssh-unix-dev mailing list