Host based authentication and SSH CA.

Damien Miller djm at mindrot.org
Fri Nov 7 22:29:36 EST 2014


On Fri, 7 Nov 2014, Peter Ankerst?l wrote:

> > 	What principals (if any) are associated with the host cert?
> 
> Right now i dont have any principals at all in the host cert.

That's likely the problem then. The principals should list the
hostname(s) of the server.

(I agree that the documentation here is terrible).

> > If I recall correctly, sshd will use the FQDN when validating the key or
> > certificate offered by the client. Thus, if you specified any principals
> > for the certificate, the list must include the FQDN and the pattern for
> > teh @cert-authority entry needs to also match the FQDN.
> 
> When logging with key based authentication the host CA works fine.
> 
> debug1: Host 'm3' is known and matches the ECDSA-CERT host certificate.
> debug1: Found CA key in /etc/ssh/ssh_known_hosts:1
> 
> But when doing hostbased authentication it first gives me those two lines but
> then tries to look for m3 specifically in ssh_known_hosts.

That's strange - I'll take a look via the bug.

-d


More information about the openssh-unix-dev mailing list