Feature Request: Plugin Model for authorizing public keys
Peter Stuge
peter at stuge.se
Wed Feb 9 23:17:46 EST 2011
Simon Wilkinson wrote:
>> At FOSDEM we had a short discussion about a similar simple way of
>> also extending host key lookups, in lieu of the more intrusive GSSAPI
>> kex patch which seems to take a different approach.
>
> The GSSAPI kex patch (an implementation of RFC4462) is designed to remove
> the need for host keys entirely, rather than just making it easier to
> verify that the key you've been given is valid.
Right! We were briefly discussing why it might not yet have gotten
included into OpenSSH.
> On large sites - and some of the sites with GSSAPI key exchange
> deployed have tens of thousands of machines - removing the need for
> ssh host key management is a significant saving.
Yes! Our thought was that maybe the same problem could be solved in a
simpler fashion, not going quite all the way. Ie. still having host
keys, but at least being able to validate them centrally using an
already-acquired kerberos ticket.
//Peter
More information about the openssh-unix-dev
mailing list