@cert-authority for hostbased auth - sans shosts?

Marian Beermann public at enkore.de
Fri Nov 10 09:14:19 AEDT 2023


we're looking to reduce the number of host lists that
need to be kept in sync in our system. (There are quite a few of them 
all over the place)

OpenSSH CAs are an obvious solution for not having to
keep all host keys in sync in /etc/ssh/known_hosts, however,
while OpenSSH does support using a CA in conjunction with hostbased 
it still requires a list of all authorized host names in the rhosts / 
shosts file.

That does make sense, as known_hosts is of course primarily for, well, 
knowing host keys,
and doesn't say anything about trusting them for hostbased 
authentication, so for hostbased
using a @cert-authority here is functionally the same as just listing 
all issued public keys

While that's an improvement over having to keep both authorized_keys and 
up to date, but as the whole point of a CA mechanism is to delegate trust,
shosts seems a bit redundant in this case. It seems to me like there's a 
piece here, something like an /etc/ssh/authorized_keys, which would 
allow you to write
something in the spirit of

cert-authority,hosts="*.mycluster.foo.bar" ssh-...

which would then permit hostbased authentication for hosts with a valid 
matching the hostname pattern without passing further shosts checks.


More information about the openssh-unix-dev mailing list