Host based authentication and SSH CA.
Peter Ankerstål
peter at pean.org
Fri Nov 7 21:18:24 EST 2014
On 11/06/2014 10:44 PM, Iain Morgan wrote:
> On Wed, Nov 05, 2014 at 08:46:58 +0100, Peter Ankerstål wrote:
>> On 11/05/2014 01:09 AM, Damien Miller wrote:
>>> On Tue, 4 Nov 2014, Peter Ankerst?l wrote:
>>>
>>>> Hi,
>>>>
>>>> Im currently deploying signed host keys for my environment. Everything seems
>>>> to work fine but I have one problem with host based authentication.
>>>>
>>>> Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5.
>>>>
>>>> When trying to login between hosts with host-based authentication configured I
>>>> cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works
>>>> even if the public key is wrong. It should be enough to have a single
>>>> "@cert-authority" line in ssh_known_hosts right?
>>>
>>> I don't think host-based auth has ever been properly tested with certified
>>> keys (unfortunately, it's barely tested generally due to the difficulty of
>>> writing a test script for it). It's entirely possible that there are bugs
>>> there.
>>>
>>> Please file a report at https://bugzilla.mindrot.org/ and include the
>>> config files in question and I'll take a look when I have some time next.
>>>
>>> -d
>>>
>>
>> Thanks.
>>
>> https://bugzilla.mindrot.org/show_bug.cgi?id=2305
>>
>
> When I submitted the patch that extended certificate support to
> hostbased aiuthentication, it seemed to be working. However, it is
> certainly possible that I overlooked something or that my tests were
> incomplete.
>
> A couple of initial questions come to mind:
>
> What pattern are you using with the @cert-authority entry?
> What principals (if any) are associated with the host cert?
>
>
> If I recall correctly, sshd will use the FQDN when validating the key or
> certificate offered by the client. Thus, if you specified any principals
> for the certificate, the list must include the FQDN and the pattern for
> teh @cert-authority entry needs to also match the FQDN.
>
I have now tried with having the FQDN as principal as host-cert. No
help. It is still looking for the host in known_hosts.
debug1: check_key_in_hostfiles: key for host "FQDN" not found
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3738 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141107/017eb5ab/attachment.bin>
More information about the openssh-unix-dev
mailing list