samba - Dec 2023 - ssh with certificates - was: AW: Samba Bind DLZ and Zone signing

Out of curiosity: 
I am wondering who recommends ssh key management via dnssec? Afaik it only
addresses host authentication but not user authenticaion, and putty (the most
popular client on Windows) does not support it at all. I personally experimented
with Kerberos, but there are also gaps in support, in particular Windows ssh
server does not support it.
I haven?t tried ssh with certificates yet, but the descriptions I have seen look
ok, only that standard x.509 certificates cannot be reused.
What prevents you (or others) to use certificates?
Joachim

-----Urspr?ngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Sami Hulkko
via samba
Gesendet: Sonntag, 10. Dezember 2023 20:04
An: samba at lists.samba.org
Betreff: Re: [Samba] Samba Bind DLZ and Zone signing

Hi,

One can use ssh verification of hosts with DNS provided HOST KEY (the one in
~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that requires DNSSEC
zone signing. It is recommended practice to authenticate SSH hosts to clients
and preferred over more complex  SSL Certificate method. Secure signed zone is
perquisite for SSH to approve the host ID provided by DNS.

SH

On 10/12/2023 18.50, Rowland Penny via samba wrote:
> On Sun, 10 Dec 2023 17:23:19 +0200
> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> Is there any way of signing the zones with  zone-signing key? How 
>> would one add  add zone-signing key and key signing key to DLZ 
>> database? The Windows 11 Pro RSAT tool for nameserver do not accept 
>> key addition and states unauthorized.
>>
> I think you need to explain what you are trying to achieve. As far as 
> I am aware, Windows clients can update their own dns records in AD and 
> Unix clients need to use kerberos. so just what are you trying to do 
> and why ?
>
> Rowland
>
>
--
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi,

I am after host to client authentication that is the first sentence in 
the mail. There is already Kerberos5 in samba and there are other user 
to host authentication methods for that. To authenticate HOST to CLIENT, 
DNSSEC is standard preferred method. Putty is year 2000 stuff and 
current is Windows Terminal. Try it out it is free of charge in Windows 
Store and supports great WSL2 Visual Studio and other software.

SH

On 10/12/2023 21.31, Joachim Lindenberg via samba wrote:
> Out of curiosity:
> I am wondering who recommends ssh key management via dnssec? Afaik it only
addresses host authentication but not user authenticaion, and putty (the most
popular client on Windows) does not support it at all. I personally experimented
with Kerberos, but there are also gaps in support, in particular Windows ssh
server does not support it.
> I haven?t tried ssh with certificates yet, but the descriptions I have seen
look ok, only that standard x.509 certificates cannot be reused.
> What prevents you (or others) to use certificates?
> Joachim
>
> -----Urspr?ngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Sami
Hulkko via samba
> Gesendet: Sonntag, 10. Dezember 2023 20:04
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba Bind DLZ and Zone signing
>
> Hi,
>
> One can use ssh verification of hosts with DNS provided HOST KEY (the one
in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that requires DNSSEC
zone signing. It is recommended practice to authenticate SSH hosts to clients
and preferred over more complex  SSL Certificate method. Secure signed zone is
perquisite for SSH to approve the host ID provided by DNS.
>
> SH
>
> On 10/12/2023 18.50, Rowland Penny via samba wrote:
>> On Sun, 10 Dec 2023 17:23:19 +0200
>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> Is there any way of signing the zones with  zone-signing key? How
>>> would one add  add zone-signing key and key signing key to DLZ
>>> database? The Windows 11 Pro RSAT tool for nameserver do not accept
>>> key addition and states unauthorized.
>>>
>> I think you need to explain what you are trying to achieve. As far as
>> I am aware, Windows clients can update their own dns records in AD and
>> Unix clients need to use kerberos. so just what are you trying to do
>> and why ?
>>
>> Rowland
>>
>>
> --
> Me worry? That's why my first CD was Peter Gabriel SO....
>
> Sami Hulkko
> sahulkko at gmail.com
> sahulkko at icloud.com
> samihulkko at quantum-black-hole.com
> +358 45 85693 919
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
-- 
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919

Off-topic for this list, but you mentioned it. One of the lists
mentioned in https://www.openssh.com/list.html might be a better place
to discuss this.

There is a public patch for OpenSSH that allows to use .x.509
certificates for authentication, see
https://www.roumenpetrov.info/secsh/index.html .

That patch is being maintained since about 20 years, initially by
implementing a proprietary protocol extension. In the meantime that
evolved into a standard protocol described in RFC6187.
It never made it into "standard OpenSSH" probably because there is a
competing certificate standard (not x.509) supported by OpenSSH.

On 10.12.2023 20:31, Joachim Lindenberg via samba wrote:
> Out of curiosity:
> I am wondering who recommends ssh key management via dnssec? Afaik it only
addresses host authentication but not user authenticaion, and putty (the most
popular client on Windows) does not support it at all. I personally experimented
with Kerberos, but there are also gaps in support, in particular Windows ssh
server does not support it.
> I haven?t tried ssh with certificates yet, but the descriptions I have seen
look ok, only that standard x.509 certificates cannot be reused.
> What prevents you (or others) to use certificates?
> Joachim
>
> -----Urspr?ngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Sami
Hulkko via samba
> Gesendet: Sonntag, 10. Dezember 2023 20:04
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba Bind DLZ and Zone signing
>
> Hi,
>
> One can use ssh verification of hosts with DNS provided HOST KEY (the one
in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that requires DNSSEC
zone signing. It is recommended practice to authenticate SSH hosts to clients
and preferred over more complex  SSL Certificate method. Secure signed zone is
perquisite for SSH to approve the host ID provided by DNS.
>
> SH
>
> On 10/12/2023 18.50, Rowland Penny via samba wrote:
>> On Sun, 10 Dec 2023 17:23:19 +0200
>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> Is there any way of signing the zones with  zone-signing key? How
>>> would one add  add zone-signing key and key signing key to DLZ
>>> database? The Windows 11 Pro RSAT tool for nameserver do not accept
>>> key addition and states unauthorized.
>>>
>> I think you need to explain what you are trying to achieve. As far as
>> I am aware, Windows clients can update their own dns records in AD and
>> Unix clients need to use kerberos. so just what are you trying to do
>> and why ?
>>
>> Rowland
>>
>>
> --
> Me worry? That's why my first CD was Peter Gabriel SO....
>
> Sami Hulkko
> sahulkko at gmail.com
> sahulkko at icloud.com
> samihulkko at quantum-black-hole.com
> +358 45 85693 919
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>

To be clear, DNS only provides HOST identification validation (the host?s key
fingerprints are stored as RDATA in an SSHFP DNS record).

This avoids the need to validate the server?s key on first connection or delete
it from the known_hosts file when it changes, but it has nothing
to do with user authentication.

Owen

On Dec 10, 2023, at 11:31, Joachim Lindenberg via samba <samba at
lists.samba.org> wrote:

Out of curiosity: I am wondering who recommends ssh key management via dnssec?
Afaik it only addresses host authenticati<x-msg://249/#link>??????
<external.png><https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=6576124994468b18cfe88e9f&lang=en>


Out of curiosity:
I am wondering who recommends ssh key management via dnssec? Afaik it only
addresses host authentication but not user authenticaion, and putty (the most
popular client on Windows) does not support it at all. I personally experimented
with Kerberos, but there are also gaps in support, in particular Windows ssh
server does not support it.
I haven?t tried ssh with certificates yet, but the descriptions I have seen look
ok, only that standard x.509 certificates cannot be reused.
What prevents you (or others) to use certificates?
Joachim

-----Urspr?ngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Sami Hulkko
via samba
Gesendet: Sonntag, 10. Dezember 2023 20:04
An: samba at lists.samba.org
Betreff: Re: [Samba] Samba Bind DLZ and Zone signing

Hi,

One can use ssh verification of hosts with DNS provided HOST KEY (the one in
~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that requires DNSSEC
zone signing. It is recommended practice to authenticate SSH hosts to clients
and preferred over more complex  SSL Certificate method. Secure signed zone is
perquisite for SSH to approve the host ID provided by DNS.

SH

On 10/12/2023 18.50, Rowland Penny via samba wrote:
> On Sun, 10 Dec 2023 17:23:19 +0200
> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> Is there any way of signing the zones with  zone-signing key? How
>> would one add  add zone-signing key and key signing key to DLZ
>> database? The Windows 11 Pro RSAT tool for nameserver do not accept
>> key addition and states unauthorized.
>>
> I think you need to explain what you are trying to achieve. As far as
> I am aware, Windows clients can update their own dns records in AD and
> Unix clients need to use kerberos. so just what are you trying to do
> and why ?
>
> Rowland
>
>
--
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba