bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-31 18:12 UTC
[Bug 2602] New: (Feature request) Verify host using key in destination user account
https://bugzilla.mindrot.org/show_bug.cgi?id=2602 Bug ID: 2602 Summary: (Feature request) Verify host using key in destination user account Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: bugzilla.mindrot.org at edp.org I would like ssh to provide host verification using a key in the destination user account (as an alternative to using a key installed by the system administrator). It is not unusual to connect to systems where the user has an account but does not control the system (e.g., accounts provided by schools, employers, and other institutions or an account on a virtual server at an ISP), and the institution may occasionally migrate the accounts to new hardware while neglecting to migrate the host keys. This feature would also be useful on development systems where the user reinstalls the OS frequently (but retains the user data, possibly on a storage volume separate from the OS). If the destination account files contained a key (with permissions granting access to sshd but denying access to other users), sshd could access the key and use it to authenticate to the client ssh. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-19 04:37 UTC
[Bug 2602] (Feature request) Verify host using key in destination user account
https://bugzilla.mindrot.org/show_bug.cgi?id=2602 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|NEW |RESOLVED CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- This isn't possible without breaking the guarantees that host key checking is supposed to provide. For the behaviour that you want, ssh would have to ignore a host key verification failure at connection time, proceed with authentication and fetch (presumably using sftp) the host key from the target system. This is a substantial amount of work but, worse, it would require ssh to complete authentication to a system that it does not trust. Completing authentication means sending user credentials to the remote server. This would allow phishing or connection spoofing by hostile servers. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-19 21:00 UTC
[Bug 2602] (Feature request) Verify host using key in destination user account
https://bugzilla.mindrot.org/show_bug.cgi?id=2602 --- Comment #2 from Eric Postpischil <bugzilla.mindrot.org at edp.org> --- The second paragraph in the preceding comment contemplates an implementation in which the ssh client does the work of retrieving the key and verifying it. That is not necessary. When initially contacting the server, the client would supply the name of a user on the server system. The ssh server would read a key from that user?s files and use it in the normal authentication process instead of the usual system host key. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:59 UTC
[Bug 2602] (Feature request) Verify host using key in destination user account
https://bugzilla.mindrot.org/show_bug.cgi?id=2602 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- Implementing Shares
- nouveau "eDP-1: EDID is invalid" regression after 4.11 with HP ZBook 15 G3
- [Bug 34680] New: Enable dithering by default for eDP panels
- nouveau "eDP-1: EDID is invalid" regression after 4.11 with HP ZBook 15 G3
- [Bug 110993] New: GP107GLM [Quadro P1000 Mobile]: frequent failure to initialize displays on Thunderbolt dock