OpenSSH PKI [was: Re: Call for testing: OpenSSH-5.4]
Damien Miller
djm at mindrot.org
Thu Mar 4 22:13:37 EST 2010
On Sun, 28 Feb 2010, Damien Miller wrote:
> On Sat, 27 Feb 2010, Daniel Kahn Gillmor wrote:
>
> > 1) Revocations -- there is no room in the infrastructure i can see for
> > revocations. What should a certificate authority do if it discovers
> > that the private key belonging to a certificate has been compromised,
> > and the certificate is not yet expired? What should a server operator
> > do who knows this situation, but currently relies on other
> > certifications from that CA?
>
> Revocation is planned to be implemented as a simple file containing a list
> of banned keys.
This is now implemented and will be in tomorrow's snapshot. sshd_config
gets a new RevokedKeys directive that can point to a file containing
keys to ban. ssh(1) will look for a new @revoked marker in known_hosts
and ban any key that it sees with the following warning:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REVOKED HOST KEY DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for localhost is marked as revoked.
This could mean that a stolen key is being used to
impersonate this host.
> > If i certify
> > a key for "foo" does that work on all "foo" accounts on every machine
> > that trusts my CA?
>
> yes. Remember that CA keys can be trusted on an account by account basis,
> so if there are subsets of hosts within a domain that use a different
> naming scheme then the users who trust the CA for login can be subsetted.
>
> I'm planning to add a sshd-wide (well, Match block wide) way to specify
> trusted CA keys too.
This is done too, there is a sshd_config TrustedUserCAKeys option that
allows sshd to trust zero or more CA keys to authenticate and authorize
users. This option can be set or overridden in a Match block, so it is
possible to turn it on for certain users or groups only.
There are a bunch more regress tests for these, so please rerun the tests
using the latest snapshots if you get a chance.
-d
More information about the openssh-unix-dev
mailing list