OpenSSH contract development / patch
Damien Miller
djm at mindrot.org
Thu May 4 11:01:42 AEST 2017
On Wed, 3 May 2017, Stephen Harris wrote:
> On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote:
> > Hi Devin, have you looked at using openssh certificates to help manage
> [...]
> > While the feature has been around for a while now (and is really
> > useful), there doesn't seem to be huge amount of documentation around
> > it. I found the following useful when getting a client of my running
>
> Yeah, when I wrote about it last year I didn't find many clients
> (just the openssh client) understood it:
> https://www.sweharris.org/post/2016-10-30-ssh-certs/
Nice guide. You might want to mention hostname canonicalisation[1] in
relation to host certs, it keeps things happy when users specify
unqualified hostnames.
> How many clients do work with CA signed keys?
The Go x/crypto/ssh package supports OpenSSH certificates and offers
a callback that's pretty easy to hook up with them. I don't know whether
anybody is using it for that though.
I do know of some of certified host keys in the wild with only OpenSSH
as the client.
-d
[1] http://blog.djm.net.au/2014/01/hostname-canonicalisation-in-openssh.html
More information about the openssh-unix-dev
mailing list