@cert-authority for hostbased auth - sans shosts?
Marian Beermann
public at enkore.de
Fri Nov 10 09:14:19 AEDT 2023
Hi,
we're looking to reduce the number of host lists that
need to be kept in sync in our system. (There are quite a few of them
all over the place)
OpenSSH CAs are an obvious solution for not having to
keep all host keys in sync in /etc/ssh/known_hosts, however,
while OpenSSH does support using a CA in conjunction with hostbased
authentication,
it still requires a list of all authorized host names in the rhosts /
shosts file.
That does make sense, as known_hosts is of course primarily for, well,
knowing host keys,
and doesn't say anything about trusting them for hostbased
authentication, so for hostbased
using a @cert-authority here is functionally the same as just listing
all issued public keys
directly.
While that's an improvement over having to keep both authorized_keys and
shosts
up to date, but as the whole point of a CA mechanism is to delegate trust,
shosts seems a bit redundant in this case. It seems to me like there's a
missing
piece here, something like an /etc/ssh/authorized_keys, which would
allow you to write
something in the spirit of
cert-authority,hosts="*.mycluster.foo.bar" ssh-...
which would then permit hostbased authentication for hosts with a valid
certificate
matching the hostname pattern without passing further shosts checks.
Cheers,
Marian
More information about the openssh-unix-dev
mailing list