client host certificates and receiving host configuration
Damien Miller
djm at mindrot.org
Wed Jun 17 10:31:06 AEST 2020
On Tue, 16 Jun 2020, Rory Campbell-Lange wrote:
> I'm working on a small server written in Go to add short-lived user
> certificates to the forwarded agents of authorized users.
>
> https://github.com/rorycl/sshagentca
>
> This seems to work quite well for accessing sshd servers with the
> appropriately configured "TrustedUserCAKeys" directive.
>
> I have been in a debate about how similarly adding host certificates to
> forwarded agents could help mitigate man-in-the-middle attacks. This has
> raised a few questions.
>
> Firstly, given a host CA signing key on the sshagentca server, would an
> appropriately constructed host certificate added to a forwarded agent
> replace the necessity for a '@cert-authority' line in a user's known_hosts
> file?
I'm not sure I want to add yet another path (the agent) to ssh's already
twisty host key verification logic. However, a few people have requsted
a KnownHostsCommand option that allows the output of a subprocess to
be used in addition to the usual known_hosts. Would this work for you?
> Secondly, would there be any alteration to the requirement for a
> "HostCertificate" CA-signed public key (from a private "HostKey") on
> sshd receiving servers?
I don't understand what you mean here. Could you elabourate?
-d
More information about the openssh-unix-dev
mailing list