Host based authentication and SSH CA.
Peter Ankerstål
peter at pean.org
Wed Nov 5 18:46:58 EST 2014
On 11/05/2014 01:09 AM, Damien Miller wrote:
> On Tue, 4 Nov 2014, Peter Ankerst?l wrote:
>
>> Hi,
>>
>> Im currently deploying signed host keys for my environment. Everything seems
>> to work fine but I have one problem with host based authentication.
>>
>> Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5.
>>
>> When trying to login between hosts with host-based authentication configured I
>> cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works
>> even if the public key is wrong. It should be enough to have a single
>> "@cert-authority" line in ssh_known_hosts right?
>
> I don't think host-based auth has ever been properly tested with certified
> keys (unfortunately, it's barely tested generally due to the difficulty of
> writing a test script for it). It's entirely possible that there are bugs
> there.
>
> Please file a report at https://bugzilla.mindrot.org/ and include the
> config files in question and I'll take a look when I have some time next.
>
> -d
>
Thanks.
https://bugzilla.mindrot.org/show_bug.cgi?id=2305
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3738 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141105/0780777d/attachment.bin>
More information about the openssh-unix-dev
mailing list