Question about host certificates
Iain Morgan
imorgan at nas.nasa.gov
Fri Mar 19 09:17:31 EST 2010
Hi,
I'm experimenting with host certificates in 5.4p1 and seem to have hit a
usability issue. I've generated a host certificate, added the
HostCertificate option to the sshd_config and restarted sshd. I've
replaced the system's ssh_known_hosts file with one that has a single
entry of the form:
@cert-authority *.example.domain ssh-rsa ...
This works provided that I use the host's FQDn when I ssh to it. If I
use an unqualified name, the connection is made but the certificate
verification fails. I suppose an entry like
@cert-authority *,*.example.domain ssh-rsa ...
would work, but it doesn't seem prudent. How are you supposed to specify
that the cert-authority is for the local domain? It seem like the name
of the target host should be resolved to a FQDN prior to checking
whether or not the cert-authority is applicable.
I know this issue _could_ be addressed by listing the unqualified name
as well as the globbed domain name, but that doesn't seem like a very
scalable solution.
Thanks
--
Iain Morgan
More information about the openssh-unix-dev
mailing list