@cert-authority for hostbased auth - sans shosts?

Damien Miller djm at mindrot.org
Sun Nov 12 13:31:57 AEDT 2023


On Sat, 11 Nov 2023, Marian Beermann wrote:

> On 11/10/23 04:17, Damien Miller wrote:
> > AIUI what he is asking for is a file that combines the host identity
> > of the system-wide ssh_known_hosts file with the host/user authorisation
> > of shosts in a single file.
> > 
> > This might be a little cleaner, but IMO not so much so as to be highly
> > motivating (personally).
> 
> Yup, but since this is auth code I imagine it would still require quite some
> maintainer time to integrate a patch, if one were supplied. Plus I'm under the
> impression that hostbased auth is somewhat of a "discouraged" or at least
> arcane practice.

It's not discouraged so much as rarely used. It's very useful in some
situations and I can think of good reasons to use it more often (e.g
requiring both host and user identity as part of authentication).

It definitely has more rough edges than user publickey authentication -
it's harder to set up (admin only) and harder to debug, as it requires
access to authentication logs and we haven't put as much effort in to
making the logs useful and actionable when something is misconfigured.

> 
> Cheers,
> Marian
> 
> 
-d


More information about the openssh-unix-dev mailing list