Question about host certificates

Iain Morgan imorgan at nas.nasa.gov
Fri Mar 19 09:17:31 EST 2010


Hi,

I'm experimenting with host certificates in 5.4p1 and seem to have hit a
usability issue. I've generated a host certificate, added the
HostCertificate option to the sshd_config and restarted sshd. I've
replaced the system's ssh_known_hosts file with one that has a single
entry of the form:

@cert-authority *.example.domain ssh-rsa ...

This works provided that I use the host's FQDn when I ssh to it. If I
use an unqualified name, the connection is made but the certificate
verification fails. I suppose an entry like

@cert-authority *,*.example.domain ssh-rsa ...

would work, but it doesn't seem prudent. How are you supposed to specify
that the cert-authority is for the local domain? It seem like the name
of the target host should be resolved to a FQDN prior to checking
whether or not the cert-authority is applicable.

I know this issue _could_ be addressed by listing the unqualified name
as well as the globbed domain name, but that doesn't seem like a very
scalable solution.

Thanks

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list