Greetings,
For those interested in using certificates with hostbased
authentication, I have just submitted an enhancement request[1] to the
OpenSSH bugzilla site with a preliminary patch that adds support for
this.
Despite the fact that hostbased authentication is, by default, disabled
for both the client and server, there are environments where hostbased
authentication can be very useful. One such example would be large
compute clusters. In such environments, being able to use certificates
would ease the management of the ssh_known_hosts file and simplify the
process of adding additional compute nodes or replacing existing host
keys.
The intent of the patch is to extend certificate support to hostbased
authentication in a fairly transparent manner. If hostbased
authentication is enabled and the client has a host cert, it will be
included in the authentication message. And if the server has an
appropriate @cert-authority entry in the ssh_known_hosts file, the
request can be authenticated with the usual caveats and conditions
applied to hostbased authentication.
If the certificate has a non-empty list of principals, the resolved name
(or possibly the canonical hostname supplied in the authentication
message) will be checked against the list of principals. Thus, the list
of principals should include the fully-qualified name of the client
host.
The ordering of hostbased authentication attempts has been chosen to
prefer certificates if they are available. Once the client has tried any
available certificates without success, it will then try unadorned host
keys in the usual order (DSA followed by RSA). This means that in a
worst-case scenario four hostbased authentication attempts may be tried.
However, it is expected that most sites will only deploy one host
certificate type and thus the maximum number of attempts under such
circumstances would only be three.
The patch has only undergone limited testing at this point, but it
appears to be functional. It has been tested both with and without
ssh-keysign and some (but not all) error cases have been tested.
Feel free to provide input to bz#1776 or as a response to this email if
you prefer.
Regards,
--
Iain Morgan
[1] https://bugzilla.mindrot.org/show_bug.cgi?id=1776