openssh unix dev - Nov 2023 - @cert-authority for hostbased auth - sans shosts?

On Fri, 10 Nov 2023, Rory Campbell-Lange wrote:
> On 09/11/23, Marian Beermann (public at enkore.de) wrote:
> > ... while OpenSSH does support using a CA in conjunction with
hostbased
> > authentication, it still requires a list of all authorized host names
in the
> > rhosts / shosts file.
> 
> I'm not familiar with the use of .rhosts/.shosts, but I don't think
those are needed at all with a machine or per-user known_hosts file/files
utilizing host certificates.
> 
> The known_hosts file can have patterns such as the following:
> 
>     @cert-authority *.example.com ecdsa-sha2-nistp256 AAAAE2V...
> 
> Would accept the host certificate authority for *.example.com. The
"Hostnames" field can be expanded as needed, and can enclude hashed
hostnames.
> 
> See:
>
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication#4._Updating_Clients_to_Acknowledge_the_Designated_Certificate_Authority
> 
> Another example (from the sshd man page)
> 
>     cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
> 
> Could that work for you?
AIUI what he is asking for is a file that combines the host identity
of the system-wide ssh_known_hosts file with the host/user authorisation
of shosts in a single file.

This might be a little cleaner, but IMO not so much so as to be highly
motivating (personally).

-d

On 11/10/23 04:17, Damien Miller wrote:
> AIUI what he is asking for is a file that combines the host identity
> of the system-wide ssh_known_hosts file with the host/user authorisation
> of shosts in a single file.
>
> This might be a little cleaner, but IMO not so much so as to be highly
> motivating (personally).
>
> -d
Yup, but since this is auth code I imagine it would still require quite 
some maintainer time to integrate a patch, if one were supplied. Plus 
I'm under the impression that hostbased auth is somewhat of a 
"discouraged" or at least arcane practice.

Cheers,
Marian