HashKnownHosts vs @cert-authority
Peter Moody
mindrot at hda3.com
Tue Dec 13 03:23:52 AEDT 2016
On Dec 12, 2016 4:17 AM, "Harald Dunkel" <harald.dunkel at aixigo.de> wrote:
On 12/12/2016 09:09 AM, Damien Miller wrote:
> On Fri, 9 Dec 2016, Harald Dunkel wrote:
>
>> Hi folks,
>>
>> maybe I am too blind to see, but would it be possible to
>> avoid extra entries in known_hosts, if the remote host
>> has a signed public key matching a @cert-authority line?
>> Something like
>>
>> Host *
>> HashKnownHosts unsigned
>>
>> This could help to keep the known_hosts file small and
>> yet get all the unsigned public keys in.
>
> Certificates aren't added to known_hosts when the CA is trusted,
> so this is pretty much already the behaviour.
>
> -d
>
I'm not talking about the signed certificates, but the host keys.
Sample session:
% cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr
root at ca.example.com
@cert-authority *.hosting.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf
root at dex02.hosting.example.com
% ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts.ca dpcl064 echo
"hello, world"
Warning: Permanently added 'dpcl064'
Your cert is good for *.hosting.example.com but you're connecting to
dpcl064. unless your ssh_config is doing some canonicalization, your client
won't accept the host cert presented since the host name doesn't match the
principals listed in the ca.
(RSA) to the list of known hosts.
hello, world
% 551} cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr
root at ca.example.com
@cert-authority *.hosting.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf
root at dex02.hosting.example.com
|1|enWm+4uvYU/G0qgjuYP0TpxIk3M=|MpKwoY+HIrUJbcR4vrNH1xYxWT4= ssh-rsa
AAAAB3NzaC1yc2EAAAADAQAB...I2bbm6C52Uga3TBWQ7F+xG0Wd5k1I+KMJnJ
Regards
Harri
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list