hostbase authentication of hostcertificate

[Iain Morgan]

On Wed, May 26, 2010 at 04:42:04 -0500, kai_yang2008 wrote:
> Dear All,
>  
> I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/cert-hostkey.sh
> But it seems that it can not login with the hostcertificate.:

Right. As has been previously noted on this list, hostbased
authentication does not currently take advantage of host certificates.
The are only used by the client to validate the server.

I've been working on a patch that would add certificate support for
hostbased authentication and hope to submit it fairly soon. Thus far, it
looks like fairly minimal changes would be needed to support it. In
fact, it looks like no changes need to be made to the server. But I may
have overlooked something and haven't tested the code yet.

The one awkward thing that I have been wrestling with is the number of
hostbased authentication attempts that a client might try. Currently, if
a server offers hostbased authentication but does not trust the client
system, the client will try hostbased authentication twice. If
certificate support is added and the client has both an RSA and DSA
cert, it could try as many as four times.

It seems that some strategy is needed to either limit the number of
hostbased authentication attempts or to customize the order in which
keys and certs will be tried.

-- 
Iain Morgan