Host based authentication and SSH CA.
Peter Ankerstål
peter at pean.org
Tue Nov 4 22:20:59 EST 2014
Hi,
Im currently deploying signed host keys for my environment. Everything
seems to work fine but I have one problem with host based authentication.
Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5.
When trying to login between hosts with host-based authentication
configured I cant do so if the host is not in /etc/ssh_knows_hosts. If
its there it works even if the public key is wrong. It should be enough
to have a single "@cert-authority" line in ssh_known_hosts right?
m1# ssh m3 -v
...
debug1: Host 'm3' is known and matches the RSA-CERT host certificate.
debug1: Found CA key in /etc/ssh/ssh_known_hosts:1
...
debug1: ssh_rsa_verify: signature correct
-----
m3# /usr/sbin/sshd -dd
...
debug3: load_hostkeys: loading entries for host "m1" from file
"/etc/ssh/ssh_known_hosts"
debug3: load_hostkeys: found ca key type RSA in file
/etc/ssh/ssh_known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: check_key_in_hostfiles: key for host m1 not found
debug1: check_key_in_hostfiles: key for host m1 not found
Why cant I use the CA for host based auth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3738 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141104/48825383/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list