Hello, Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. For example, I have multiple hosts that all serves as monitoring server, I would like to trust only these hosts, so I enrol a certificate for these using "monitoring" principal, so I can connect only to these. At first I thought we can do Match statement at ssh_config, however, the Match is being evaluated before connection, so remove principal name is not available at this stage.>From what I do understand the known_hosts format enables CA key andDNS mask of matched hosts. There is no way to match against the certificate principal name. I thought about something like: @cert-authority *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY> If the above cannot be done, do you think it will be helpful? BTW: It would also be handy to allow specify CA key within separate file, something like the following: @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub Regards, Alon Bar-Lev.
I guess [1] is the answer, and it is not merged yet. [1] http://serverfault.com/questions/669718/connecting-to-a-pool-member-over-ssh-w-a-host-certificate-good-for-the-pool-nam On Sun, Feb 22, 2015 at 11:56 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:> Hello, > > Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. > > For example, I have multiple hosts that all serves as monitoring > server, I would like to trust only these hosts, so I enrol a > certificate for these using "monitoring" principal, so I can connect > only to these. > > At first I thought we can do Match statement at ssh_config, however, > the Match is being evaluated before connection, so remove principal > name is not available at this stage. > > From what I do understand the known_hosts format enables CA key and > DNS mask of matched hosts. > > There is no way to match against the certificate principal name. > > I thought about something like: > > @cert-authority > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY> > > If the above cannot be done, do you think it will be helpful? > > BTW: It would also be handy to allow specify CA key within separate > file, something like the following: > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub > > Regards, > Alon Bar-Lev.
On Sun, 22 Feb 2015, Alon Bar-Lev wrote:> Hello, > > Maybe I did not understand correctly the PKI trust, so forgive me if I > am wrong. > > For example, I have multiple hosts that all serves as monitoring > server, I would like to trust only these hosts, so I enrol a > certificate for these using "monitoring" principal, so I can connect > only to these. > > At first I thought we can do Match statement at ssh_config, however, > the Match is being evaluated before connection, so remove principal > name is not available at this stage. > > From what I do understand the known_hosts format enables CA key and > DNS mask of matched hosts. > > There is no way to match against the certificate principal name. > > I thought about something like: > > @cert-authority > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY>I don't think I wasnt to add more indirection to known_hosts; the file is already a mess of tangled, overlapping features and I'm terrified to add more :/ Someone sent me a patch to allow certificate hostname principal matching against HostkeyAlias if matching against the exact hostname failed. This might be an alternative way for you to achieve what you want. What do you think?> If the above cannot be done, do you think it will be helpful? > > BTW: It would also be handy to allow specify CA key within separate > file, something like the following: > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pubI'm not sure it's worth the extra complexity in known_hosts parsing, given that it's already possible to specify multiple user/system known_hosts files. E.g. you could do: UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_mydomain with the latter listing the CA keys. -d
On Mon, Feb 23, 2015 at 7:35 PM, Damien Miller <djm at mindrot.org> wrote:> > On Sun, 22 Feb 2015, Alon Bar-Lev wrote: > > > Hello, > > > > Maybe I did not understand correctly the PKI trust, so forgive me if I > > am wrong. > > > > For example, I have multiple hosts that all serves as monitoring > > server, I would like to trust only these hosts, so I enrol a > > certificate for these using "monitoring" principal, so I can connect > > only to these. > > > > At first I thought we can do Match statement at ssh_config, however, > > the Match is being evaluated before connection, so remove principal > > name is not available at this stage. > > > > From what I do understand the known_hosts format enables CA key and > > DNS mask of matched hosts. > > > > There is no way to match against the certificate principal name. > > > > I thought about something like: > > > > @cert-authority > > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY> > > I don't think I wasnt to add more indirection to known_hosts; the file > is already a mess of tangled, overlapping features and I'm terrified to > add more :/ > > Someone sent me a patch to allow certificate hostname principal matching > against HostkeyAlias if matching against the exact hostname failed. > This might be an alternative way for you to achieve what you want. > What do you think?yes, I found this patch after I posted this :) it would be a solution.> > > If the above cannot be done, do you think it will be helpful? > > > > BTW: It would also be handy to allow specify CA key within separate > > file, something like the following: > > > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub > > I'm not sure it's worth the extra complexity in known_hosts parsing, > given that it's already possible to specify multiple user/system > known_hosts files. > > E.g. you could do: > > UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_mydomain > > with the latter listing the CA keys.I am thinking of avoiding specify the ca key over and over within the file. I mean, instead of having one large selection of valid principal enable principal per line, while simplify the ca key. Another issue is that unlike the sshd_config which can point to a file, I cannot have static configuration for the ssh client side because I must generate the known_hosts based on the CA key that I receive during setup. Not critical, for this I have a solution. Thanks! Alon