Hi, Im currently deploying signed host keys for my environment. Everything seems to work fine but I have one problem with host based authentication. Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5. When trying to login between hosts with host-based authentication configured I cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works even if the public key is wrong. It should be enough to have a single "@cert-authority" line in ssh_known_hosts right? m1# ssh m3 -v ... debug1: Host 'm3' is known and matches the RSA-CERT host certificate. debug1: Found CA key in /etc/ssh/ssh_known_hosts:1 ... debug1: ssh_rsa_verify: signature correct ----- m3# /usr/sbin/sshd -dd ... debug3: load_hostkeys: loading entries for host "m1" from file "/etc/ssh/ssh_known_hosts" debug3: load_hostkeys: found ca key type RSA in file /etc/ssh/ssh_known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug1: check_key_in_hostfiles: key for host m1 not found debug1: check_key_in_hostfiles: key for host m1 not found Why cant I use the CA for host based auth? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3738 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141104/48825383/attachment-0001.bin>
On Tue, 4 Nov 2014, Peter Ankerst?l wrote:> Hi, > > Im currently deploying signed host keys for my environment. Everything seems > to work fine but I have one problem with host based authentication. > > Im running OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013 on RHEL 6.5. > > When trying to login between hosts with host-based authentication configured I > cant do so if the host is not in /etc/ssh_knows_hosts. If its there it works > even if the public key is wrong. It should be enough to have a single > "@cert-authority" line in ssh_known_hosts right?I don't think host-based auth has ever been properly tested with certified keys (unfortunately, it's barely tested generally due to the difficulty of writing a test script for it). It's entirely possible that there are bugs there. Please file a report at https://bugzilla.mindrot.org/ and include the config files in question and I'll take a look when I have some time next. -d