client host certificates and receiving host configuration
Rory Campbell-Lange
rory at campbell-lange.net
Wed Jun 17 05:36:56 AEST 2020
I'm working on a small server written in Go to add short-lived user
certificates to the forwarded agents of authorized users.
https://github.com/rorycl/sshagentca
This seems to work quite well for accessing sshd servers with the
appropriately configured "TrustedUserCAKeys" directive.
I have been in a debate about how similarly adding host certificates to
forwarded agents could help mitigate man-in-the-middle attacks. This has
raised a few questions.
Firstly, given a host CA signing key on the sshagentca server, would an
appropriately constructed host certificate added to a forwarded agent
replace the necessity for a '@cert-authority' line in a user's known_hosts
file?
Secondly, would there be any alteration to the requirement for a
"HostCertificate" CA-signed public key (from a private "HostKey") on
sshd receiving servers?
Many thanks
Rory
More information about the openssh-unix-dev
mailing list