Host based authentication and SSH CA.

Peter Ankerstål peter at pean.org
Sat Nov 8 01:04:28 EST 2014


On 11/07/2014 12:29 PM, Damien Miller wrote:
> On Fri, 7 Nov 2014, Peter Ankerst?l wrote:
>
>>> 	What principals (if any) are associated with the host cert?
>>
>> Right now i dont have any principals at all in the host cert.
>
> That's likely the problem then. The principals should list the
> hostname(s) of the server.
>
> (I agree that the documentation here is terrible).
>
>>> If I recall correctly, sshd will use the FQDN when validating the key or
>>> certificate offered by the client. Thus, if you specified any principals
>>> for the certificate, the list must include the FQDN and the pattern for
>>> teh @cert-authority entry needs to also match the FQDN.
>>
>> When logging with key based authentication the host CA works fine.
>>
>> debug1: Host 'm3' is known and matches the ECDSA-CERT host certificate.
>> debug1: Found CA key in /etc/ssh/ssh_known_hosts:1
>>
>> But when doing hostbased authentication it first gives me those two lines but
>> then tries to look for m3 specifically in ssh_known_hosts.
>
> That's strange - I'll take a look via the bug.
>
> -d
>
Im am NOT a programmer, but to me it looks like we need some sort of 
logic about certs around this block of code in auth2-hostbased.c:

         host_status = check_key_in_hostfiles(pw, key, lookup,
             _PATH_SSH_SYSTEM_HOSTFILE,
             options.ignore_user_known_hosts ? NULL : 
_PATH_SSH_USER_HOSTFILE);


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3738 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141107/94e541a1/attachment.bin>


More information about the openssh-unix-dev mailing list