On Thu, 18 Mar 2010, Iain Morgan wrote:
> Hi,
>
> I'm experimenting with host certificates in 5.4p1 and seem to have hit
a
> usability issue. I've generated a host certificate, added the
> HostCertificate option to the sshd_config and restarted sshd. I've
> replaced the system's ssh_known_hosts file with one that has a single
> entry of the form:
>
> @cert-authority *.example.domain ssh-rsa ...
>
> This works provided that I use the host's FQDn when I ssh to it. If I
> use an unqualified name, the connection is made but the certificate
> verification fails. I suppose an entry like
>
> @cert-authority *,*.example.domain ssh-rsa ...
>
> would work, but it doesn't seem prudent. How are you supposed to
specify
> that the cert-authority is for the local domain? It seem like the name
> of the target host should be resolved to a FQDN prior to checking
> whether or not the cert-authority is applicable.
>
> I know this issue _could_ be addressed by listing the unqualified name
> as well as the globbed domain name, but that doesn't seem like a very
> scalable solution.
Yes, it would be good if we could get feedback from the resolver as to
which effective FQDN was used for resolution so we could canonicalise the
name without an unsafe reverse lookup step. I haven't yet looked into
how to do this.
Two more alternatives: have some way of expressing wildcards that match
only unqualified domains (e.g. rtr-syd-*[^.]*) or allow CIDR address
matching in the host list so you could specify something like:
@cert-authority 10.0.0.0/8 ssh-rsa ...
Though we would need to think through the consequences first.
-d