PKI host based principal

Alon Bar-Lev alon.barlev at gmail.com
Mon Feb 23 11:08:16 AEDT 2015


I guess [1] is the answer, and it is not merged yet.

[1] http://serverfault.com/questions/669718/connecting-to-a-pool-member-over-ssh-w-a-host-certificate-good-for-the-pool-nam

On Sun, Feb 22, 2015 at 11:56 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> Hello,
>
> Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong.
>
> For example, I have multiple hosts that all serves as monitoring
> server, I would like to trust only these hosts, so I enrol a
> certificate for these using "monitoring" principal, so I can connect
> only to these.
>
> At first I thought we can do Match statement at ssh_config, however,
> the Match is being evaluated before connection, so remove principal
> name is not available at this stage.
>
> From what I do understand the known_hosts format enables CA key and
> DNS mask of matched hosts.
>
> There is no way to match against the certificate principal name.
>
> I thought about something like:
>
> @cert-authority
> *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY>
>
> If the above cannot be done, do you think it will be helpful?
>
> BTW: It would also be handy to allow specify CA key within separate
> file, something like the following:
>
> @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub
>
> Regards,
> Alon Bar-Lev.


More information about the openssh-unix-dev mailing list