hostbase authentication of hostcertificate

kai_yang2008 kai_yang2008 at
Thu May 27 12:16:57 EST 2010

Hi Morgan,
Oh, thank you for you explanation.
Due to the times of the client try to do the host-basedauthentication with the certificate 
support, then you may follow the principle of the certificate for the user.
Best regards,

在2010-05-27 00:20:44,"Iain Morgan" <imorgan at> 写道:
>On Wed, May 26, 2010 at 04:42:04 -0500, kai_yang2008 wrote:
>> Dear All,
>> I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/
>> But it seems that it can not login with the hostcertificate.:
>Right. As has been previously noted on this list, hostbased
>authentication does not currently take advantage of host certificates.
>The are only used by the client to validate the server.
>I've been working on a patch that would add certificate support for
>hostbased authentication and hope to submit it fairly soon. Thus far, it
>looks like fairly minimal changes would be needed to support it. In
>fact, it looks like no changes need to be made to the server. But I may
>have overlooked something and haven't tested the code yet.
>The one awkward thing that I have been wrestling with is the number of
>hostbased authentication attempts that a client might try. Currently, if
>a server offers hostbased authentication but does not trust the client
>system, the client will try hostbased authentication twice. If
>certificate support is added and the client has both an RSA and DSA
>cert, it could try as many as four times.
>It seems that some strategy is needed to either limit the number of
>hostbased authentication attempts or to customize the order in which
>keys and certs will be tried.
>Iain Morgan

More information about the openssh-unix-dev mailing list