HostKey Management

Mike Kelly mike at pair.com
Fri Jan 18 09:57:51 EST 2013 

On 01/17/2013 12:12 PM, Carson Gaspar wrote:
> On 1/17/13 8:08 AM, Mike Kelly wrote:
>> Two people replied to me off-list to mention GSSAPIKeyExchange, which
>> seems to be part of some patches that aren't in the main OpenSSH
>> distribution (yet?), with this being their source, as far as Google can
>> tell me:
>>
>>    http://www.sxw.org.uk/computing/patches/openssh.html
>>
>> Those don't seem to have been updated for versions 5.8, 5.9, 6.0, or
>> 6.1, though... so I guess it's been abandoned?
> 
> I hope not. I really hope it makes it into mainline openssh - we rely on
> it heavily, and many vendors ship with that patch (Red Hat does, and
> Oracle has it in their fork).
> 
>> Also, as far as I'm aware (though, maybe I've just not learned enough
>> about Kerberos), using Kerberos basically requires someone to
>> interactively (and somewhat regularly) kinit, to get fresh credentials.
>> For a situation where you want to allow various servers to talk to each
>> other over an SSH channel, without any direct human intervention (e.g.
>> cron jobs, etc)... it seems that would rule out Kerberos completely?
>> But, maybe there's "something" that I'm missing, that would allow
>> Kerberos to be used like Public Keys can be now?
> 
> There are many good docs on KRB5 - I won't try and teach you about it
> here ;-)
> 
> Yes, there is a way - local keytabs (analogous to id_dsa), plus
> something like kstart / krenew to keep the credential cache fresh.

Thanks to everyone who mentioned "keytabs", I'll try to find out more
about them (I have the O'Reilly Kerberos book, and I've been slowly
working my way through it).

But, as someone mentioned (maybe just off-list), this still has some
shortcomings compared to public keys. The biggest is that, as I have
gathered so far, you can't tie a forced command to the credentials. I
guess that the closest workaround would be to have a specific user that
is used to log in for these specific tasks, which could have a
ForceCommand in a Match User block in sshd_config (maybe in combination
with, say, sudo so that things that maybe need to be run as some other
user instead can be?).

-- 
Mike Kelly

More information about the openssh-unix-dev mailing list