PKI host based principal
Alon Bar-Lev
alon.barlev at gmail.com
Mon Feb 23 08:56:21 AEDT 2015
Hello,
Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong.
For example, I have multiple hosts that all serves as monitoring
server, I would like to trust only these hosts, so I enrol a
certificate for these using "monitoring" principal, so I can connect
only to these.
At first I thought we can do Match statement at ssh_config, however,
the Match is being evaluated before connection, so remove principal
name is not available at this stage.
>From what I do understand the known_hosts format enables CA key and
DNS mask of matched hosts.
There is no way to match against the certificate principal name.
I thought about something like:
@cert-authority
*.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY>
If the above cannot be done, do you think it will be helpful?
BTW: It would also be handy to allow specify CA key within separate
file, something like the following:
@cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub
Regards,
Alon Bar-Lev.
More information about the openssh-unix-dev
mailing list