OpenSSH PKI [was: Re: Call for testing: OpenSSH-5.4]

Damien Miller djm at mindrot.org
Thu Mar 4 22:13:37 EST 2010 

On Sun, 28 Feb 2010, Damien Miller wrote:

> On Sat, 27 Feb 2010, Daniel Kahn Gillmor wrote:
> 
> >  1) Revocations -- there is no room in the infrastructure i can see for
> > revocations.  What should a certificate authority do if it discovers
> > that the private key belonging to a certificate has been compromised,
> > and the certificate is not yet expired?  What should a server operator
> > do who knows this situation, but currently relies on other
> > certifications from that CA?
> 
> Revocation is planned to be implemented as a simple file containing a list
> of banned keys.

This is now implemented and will be in tomorrow's snapshot. sshd_config 
gets a new RevokedKeys directive that can point to a file containing
keys to ban. ssh(1) will look for a new @revoked marker in known_hosts
and ban any key that it sees with the following warning:

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @       WARNING: REVOKED HOST KEY DETECTED!               @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    The RSA host key for localhost is marked as revoked.
    This could mean that a stolen key is being used to
    impersonate this host.

> >  If i certify
> > a key for "foo" does that work on all "foo" accounts on every machine
> > that trusts my CA?
> 
> yes. Remember that CA keys can be trusted on an account by account basis,
> so if there are subsets of hosts within a domain that use a different
> naming scheme then the users who trust the CA for login can be subsetted.
> 
> I'm planning to add a sshd-wide (well, Match block wide) way to specify
> trusted CA keys too.

This is done too, there is a sshd_config TrustedUserCAKeys option that
allows sshd to trust zero or more CA keys to authenticate and authorize
users. This option can be set or overridden in a Match block, so it is
possible to turn it on for certain users or groups only.

There are a bunch more regress tests for these, so please rerun the tests
using the latest snapshots if you get a chance.

-d

More information about the openssh-unix-dev mailing list