hostbase authentication of hostcertificate

[kai_yang2008]

Hi Morgan,
 
Oh, thank you for you explanation.
Due to the times of the client try to do the host-basedauthentication with the certificate 
support, then you may follow the principle of the certificate for the user.
 
Best regards,
Kevin




在2010-05-27 00:20:44，"Iain Morgan" <imorgan at nas.nasa.gov> 写道：
>On Wed, May 26, 2010 at 04:42:04 -0500, kai_yang2008 wrote:
>> Dear All,
>>  
>> I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/cert-hostkey.sh
>> But it seems that it can not login with the hostcertificate.:
>
>Right. As has been previously noted on this list, hostbased
>authentication does not currently take advantage of host certificates.
>The are only used by the client to validate the server.
>
>I've been working on a patch that would add certificate support for
>hostbased authentication and hope to submit it fairly soon. Thus far, it
>looks like fairly minimal changes would be needed to support it. In
>fact, it looks like no changes need to be made to the server. But I may
>have overlooked something and haven't tested the code yet.
>
>The one awkward thing that I have been wrestling with is the number of
>hostbased authentication attempts that a client might try. Currently, if
>a server offers hostbased authentication but does not trust the client
>system, the client will try hostbased authentication twice. If
>certificate support is added and the client has both an RSA and DSA
>cert, it could try as many as four times.
>
>It seems that some strategy is needed to either limit the number of
>hostbased authentication attempts or to customize the order in which
>keys and certs will be tried.
>
>-- 
>Iain Morgan