Host based authentication and SSH CA.

Iain Morgan imorgan at nas.nasa.gov
Fri Nov 7 08:44:54 EST 2014


On Wed, Nov 05, 2014 at 08:46:58 +0100, Peter Ankerstål wrote:
> On 11/05/2014 01:09 AM, Damien Miller wrote:
> >On Tue, 4 Nov 2014, Peter Ankerst?l wrote:
> >
> >>Hi,
> >>
> >>Im currently deploying signed host keys for my environment. Everything seems
> >>to work fine but I have one problem with host based authentication.
> >>
> >>Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5.
> >>
> >>When trying to login between hosts with host-based authentication configured I
> >>cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works
> >>even if the public key is wrong. It should be enough to have a single
> >>"@cert-authority" line in ssh_known_hosts right?
> >
> >I don't think host-based auth has ever been properly tested with certified
> >keys (unfortunately, it's barely tested generally due to the difficulty of
> >writing a test script for it). It's entirely possible that there are bugs
> >there.
> >
> >Please file a report at https://bugzilla.mindrot.org/ and include the
> >config files in question and I'll take a look when I have some time next.
> >
> >-d
> >
> 
> Thanks.
> 
> https://bugzilla.mindrot.org/show_bug.cgi?id=2305
> 

When I submitted the patch that extended certificate support to
hostbased aiuthentication, it seemed to be working. However, it is
certainly possible that I overlooked something or that my tests were
incomplete.

A couple of initial questions come to mind:

	What pattern are you using with the @cert-authority entry?
	What principals (if any) are associated with the host cert?


If I recall correctly, sshd will use the FQDN when validating the key or
certificate offered by the client. Thus, if you specified any principals
for the certificate, the list must include the FQDN and the pattern for
teh @cert-authority entry needs to also match the FQDN.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list