prompt to update a host key
Rory Campbell-Lange
rory at campbell-lange.net
Sun Mar 17 05:34:00 AEDT 2019
On 15/03/19, Nico Kadel-Garcia (nkadel at gmail.com) wrote:
> On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists at spuddy.org> wrote:
> > On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote:
> > And that's when you look at using certificate based host keys.
>
> And it fails miserably as soon as any of the intervening firewalls
> block ICMP, such as, say, the security group settings for an AWS
> deployed virtual host. You need to check with port 22 on TCP, not ICMP
> packets. This sort of thing is also why a casually assembled "doodz,
> just do this thing!!!" breaks down in the larger world.
Hi Nico
Referencing back to the OP's question:
> > On 14/03/19, Jeremy Lin (jeremy.lin at gmail.com) wrote:
> > > As far as I can tell, there currently isn't a straightforward way to
> > > use password authentication for connecting to hosts where the host key
> > > changes frequently.
Is there an issue with using certificate based host keys, as Jochen
suggests, that means they can't easily be used for auto-generated
instances?
According to the RedHat docs: "To authenticate a host to a user, a
public key must be generated on the host, passed to the CA server,
signed by the CA, and then passed back to be stored on the host to
present to a user attempting to log into the host."
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-signing_ssh_certificates
The process of picking up the auto-generated host file
ssh_host_rsa_key.pub to the CA machine, signing the host file, copying
the resulting certificate back to the host, adding the line
"HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub" or alternative in
the host /etc/ssh/sshd_config file and restarting sshd can all be
automated.
If all users have received the CA public host key and have added it with
the requisite @cert-authority preamble to their ~/.ssh/known_hosts file,
the host warning Jeremy was complaining about would not occur.
Or am I missing something obvious?
Thanks
Rory
More information about the openssh-unix-dev
mailing list