Adding SNI support to SSH
Peter Moody
mindrot at hda3.com
Tue Jan 14 09:31:05 AEDT 2020
On Mon, Jan 13, 2020 at 1:48 PM Nico Schottelius
<nico.schottelius at ungleich.ch> wrote:
> b) enabling load balancing for multi clusters
>
> The (b) case has 1 name per cluster, each serving multiple nodes behind
> the name. (b) is currently solved using round robin DNS with a 60s
> timeout. And yes, indeed all those nodes have the same host keys and
> it needs 1 public IPv4 address per cluster.
you don't need to share private keys. you just need all your bastion
hosts to share a ValidPrincipal
host 1:
Public Key: ssh-rsa-cert-v01 at openssh.com
SHA256:jfqNDw4KlRbJIvcdjgvKLKyQHvRL4/vzHv9hfO5u93g
Signing CA: ssh-rsa SHA256:qgFitzijB4IdXeJMKrLNPIdjrA6NqxL5Dk4cjyS+0GM
Serial: 8132918520001589427
Valid After: 27 Dec 19 22:01 -0800 (-400h23m35s)
Valid Before: 26 Mar 20 23:06 -0700 (1759h41m24s)
Principals:
bastion.example.com
bastion01.example.com
host 2:
Public Key: ssh-rsa-cert-v01 at openssh.com
SHA256:thg+wy8J+cx2MhREYUuMv9Qxlt2TlnTei2Yq66G++kc
Signing CA: ssh-rsa SHA256:qgFitzijB4IdXeJMKrLNPIdjrA6NqxL5Dk4cjyS+0GM
Serial: 6576436632342469726
Valid After: 27 Dec 19 22:17 -0800 (-400h7m8s)
Valid Before: 26 Mar 20 23:22 -0700 (1759h57m51s)
Principals:
bastion.example.com
bastion02.example.com
clients with
@cert-authority *.example.com ssh-rsa <rsa key>
in their ~/.ssh/known_hosts or /etc/ssh/known_hosts will accept either
certificate for the name "bastion.example.com"
More information about the openssh-unix-dev
mailing list