Host based authentication and SSH CA.

Peter Ankerstål peter at pean.org
Fri Nov 7 18:03:51 EST 2014


On 11/06/2014 10:44 PM, Iain Morgan wrote:
> On Wed, Nov 05, 2014 at 08:46:58 +0100, Peter Ankerstål wrote:
>> On 11/05/2014 01:09 AM, Damien Miller wrote:
>>> On Tue, 4 Nov 2014, Peter Ankerst?l wrote:
>>>
>>>> Hi,
>>>>
>>>> Im currently deploying signed host keys for my environment. Everything seems
>>>> to work fine but I have one problem with host based authentication.
>>>>
>>>> Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5.
>>>>
>>>> When trying to login between hosts with host-based authentication configured I
>>>> cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works
>>>> even if the public key is wrong. It should be enough to have a single
>>>> "@cert-authority" line in ssh_known_hosts right?
>>>
>>> I don't think host-based auth has ever been properly tested with certified
>>> keys (unfortunately, it's barely tested generally due to the difficulty of
>>> writing a test script for it). It's entirely possible that there are bugs
>>> there.
>>>
>>> Please file a report at https://bugzilla.mindrot.org/ and include the
>>> config files in question and I'll take a look when I have some time next.
>>>
>>> -d
>>>
>>
>> Thanks.
>>
>> https://bugzilla.mindrot.org/show_bug.cgi?id=2305
>>
>
> When I submitted the patch that extended certificate support to
> hostbased aiuthentication, it seemed to be working. However, it is
> certainly possible that I overlooked something or that my tests were
> incomplete.
>
> A couple of initial questions come to mind:
>
> 	What pattern are you using with the @cert-authority entry?

Right now i use *

> 	What principals (if any) are associated with the host cert?

Right now i dont have any principals at all in the host cert.

>
>
> If I recall correctly, sshd will use the FQDN when validating the key or
> certificate offered by the client. Thus, if you specified any principals
> for the certificate, the list must include the FQDN and the pattern for
> teh @cert-authority entry needs to also match the FQDN.

When logging with key based authentication the host CA works fine.

debug1: Host 'm3' is known and matches the ECDSA-CERT host certificate.
debug1: Found CA key in /etc/ssh/ssh_known_hosts:1

But when doing hostbased authentication it first gives me those two 
lines but then tries to look for m3 specifically in ssh_known_hosts.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3738 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141107/bace3bca/attachment-0001.bin>


More information about the openssh-unix-dev mailing list