Question about host certificates

Iain Morgan imorgan at
Sat Jun 5 08:12:28 EST 2010

On Thu, Mar 18, 2010 at 17:55:02 -0500, Damien Miller wrote:
> On Thu, 18 Mar 2010, Iain Morgan wrote:
> > Hi,
> > 
> > I'm experimenting with host certificates in 5.4p1 and seem to have hit a
> > usability issue. I've generated a host certificate, added the
> > HostCertificate option to the sshd_config and restarted sshd. I've
> > replaced the system's ssh_known_hosts file with one that has a single
> > entry of the form:
> > 
> > @cert-authority *.example.domain ssh-rsa ...
> > 
> > This works provided that I use the host's FQDn when I ssh to it. If I
> > use an unqualified name, the connection is made but the certificate
> > verification fails. I suppose an entry like
> > 
> > @cert-authority *,*.example.domain ssh-rsa ...
> > 
> > would work, but it doesn't seem prudent. How are you supposed to specify
> > that the cert-authority is for the local domain? It seem like the name
> > of the target host should be resolved to a FQDN prior to checking
> > whether or not the cert-authority is applicable.
> > 
> > I know this issue _could_ be addressed by listing the unqualified name
> > as well as the globbed domain name, but that doesn't seem like a very
> > scalable solution.
> Yes, it would be good if we could get feedback from the resolver as to
> which effective FQDN was used for resolution so we could canonicalise the
> name without an unsafe reverse lookup step. I haven't yet looked into
> how to do this.
> Two more alternatives: have some way of expressing wildcards that match
> only unqualified domains (e.g. rtr-syd-*[^.]*) or allow CIDR address
> matching in the host list so you could specify something like:
> @cert-authority ssh-rsa ...
> Though we would need to think through the consequences first.
> -d

Hi Damine,

If possible, I would prefer hostname or CIDR support. In either case, it
might be worthwhile to use addr_match_list() instead of match_hostname()
to handle the (admittedly rare) case where an explicit IP address is
used on the command-line.

Yet another approach occurred to me recently. It would not be a complete
solution but would have the virtue of being simple and could address
(for the most part) environments such as compute clusters: Generalize
the HostName directive. In particular, add support for a %h macro. That
would allow something like this in ~/.ssh/config:

Host foo bar baz quux

In cases where the list of unqualified hostnames can easily be
enumerated or match a convenient pattern, this could be a solution.


Iain Morgan

More information about the openssh-unix-dev mailing list