openssh bugs - Apr 2019 - [Bug 3001] New: enable sending OpenPGP-formed certificates for ssh hosts

https://bugzilla.mindrot.org/show_bug.cgi?id=3001

            Bug ID: 3001
           Summary: enable sending OpenPGP-formed certificates for ssh
                    hosts
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dkg at fifthhorseman.net

This is a feature request for in-band transmission of OpenPGP
certificates for OpenSSH hosts.

I propose adding a new HostKeyAlgorithm
`openpgp-ed25519-cert at monkeysphere.info`, which transmits that same
public key material, wrapped in OpenPGP key material to the client.

The first step of the implementation would just be server-side: if the
client states a preference for that algorithm, and sshd knows of a
`HostKey` named `$FOO` that contains an ed25519 secretkey, and
`$FOO.pgp` exists, then `sshd` should just send the content of
`$FOO.pgp` over the wire, while working with the secret key found in
`$FOO`.

This permits the host to send in-band OpenPGP-style certificates,
without `sshd` needing to know anything about the format.

The second step toward making this useful in an
OpenSSH-on-both-endpoints ecosystem would be client-side, something
like the `KnownHostsCommand` request from bug 1777; i'll defer that
discussion over there.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3001

Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |openpgp-ed25519-cert at monkey
                   |                            |sphere.info

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3001

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
We don't want to support another certificate algorithm with the
requisite additional attack surface and additional, significantly
different semantics to OpenSSH's existing key/cert methods, sorry.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3001

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.