Question about host certificates

Iain Morgan imorgan at nas.nasa.gov
Sat Jun 5 08:52:47 EST 2010 

On Fri, Jun 04, 2010 at 17:12:28 -0500, Iain Morgan wrote:
> On Thu, Mar 18, 2010 at 17:55:02 -0500, Damien Miller wrote:
> > On Thu, 18 Mar 2010, Iain Morgan wrote:
> > 
> > > Hi,
> > > 
> > > I'm experimenting with host certificates in 5.4p1 and seem to have hit a
> > > usability issue. I've generated a host certificate, added the
> > > HostCertificate option to the sshd_config and restarted sshd. I've
> > > replaced the system's ssh_known_hosts file with one that has a single
> > > entry of the form:
> > > 
> > > @cert-authority *.example.domain ssh-rsa ...
> > > 
> > > This works provided that I use the host's FQDn when I ssh to it. If I
> > > use an unqualified name, the connection is made but the certificate
> > > verification fails. I suppose an entry like
> > > 
> > > @cert-authority *,*.example.domain ssh-rsa ...
> > > 
> > > would work, but it doesn't seem prudent. How are you supposed to specify
> > > that the cert-authority is for the local domain? It seem like the name
> > > of the target host should be resolved to a FQDN prior to checking
> > > whether or not the cert-authority is applicable.
> > > 
> > > I know this issue _could_ be addressed by listing the unqualified name
> > > as well as the globbed domain name, but that doesn't seem like a very
> > > scalable solution.
> > 
> > Yes, it would be good if we could get feedback from the resolver as to
> > which effective FQDN was used for resolution so we could canonicalise the
> > name without an unsafe reverse lookup step. I haven't yet looked into
> > how to do this.
> > 
> > Two more alternatives: have some way of expressing wildcards that match
> > only unqualified domains (e.g. rtr-syd-*[^.]*) or allow CIDR address
> > matching in the host list so you could specify something like:
> > 
> > @cert-authority 10.0.0.0/8 ssh-rsa ...
> > 
> > Though we would need to think through the consequences first.
> > 
> > -d
> 
> Hi Damine,
> 
> If possible, I would prefer hostname or CIDR support. In either case, it
> might be worthwhile to use addr_match_list() instead of match_hostname()
> to handle the (admittedly rare) case where an explicit IP address is
> used on the command-line.
> 
> Yet another approach occurred to me recently. It would not be a complete
> solution but would have the virtue of being simple and could address
> (for the most part) environments such as compute clusters: Generalize
> the HostName directive. In particular, add support for a %h macro. That
> would allow something like this in ~/.ssh/config:
> 
> Host foo bar baz quux
> 	HostName	%h.example.com
> 
> In cases where the list of unqualified hostnames can easily be
> enumerated or match a convenient pattern, this could be a solution.
> 
> Regards,
> 

Hmm, after some further reflection I suspect that HostKeyAlias would be
a better choice for this than HostName.

-- 
Iain Morgan

More information about the openssh-unix-dev mailing list