Rory Campbell-Lange
2020-Jun-16 19:36 UTC
client host certificates and receiving host configuration
I'm working on a small server written in Go to add short-lived user
certificates to the forwarded agents of authorized users.
https://github.com/rorycl/sshagentca
This seems to work quite well for accessing sshd servers with the
appropriately configured "TrustedUserCAKeys" directive.
I have been in a debate about how similarly adding host certificates to
forwarded agents could help mitigate man-in-the-middle attacks. This has
raised a few questions.
Firstly, given a host CA signing key on the sshagentca server, would an
appropriately constructed host certificate added to a forwarded agent
replace the necessity for a '@cert-authority' line in a user's
known_hosts
file?
Secondly, would there be any alteration to the requirement for a
"HostCertificate" CA-signed public key (from a private
"HostKey") on
sshd receiving servers?
Many thanks
Rory
Damien Miller
2020-Jun-17 00:31 UTC
client host certificates and receiving host configuration
On Tue, 16 Jun 2020, Rory Campbell-Lange wrote:> I'm working on a small server written in Go to add short-lived user > certificates to the forwarded agents of authorized users. > > https://github.com/rorycl/sshagentca > > This seems to work quite well for accessing sshd servers with the > appropriately configured "TrustedUserCAKeys" directive. > > I have been in a debate about how similarly adding host certificates to > forwarded agents could help mitigate man-in-the-middle attacks. This has > raised a few questions. > > Firstly, given a host CA signing key on the sshagentca server, would an > appropriately constructed host certificate added to a forwarded agent > replace the necessity for a '@cert-authority' line in a user's known_hosts > file?I'm not sure I want to add yet another path (the agent) to ssh's already twisty host key verification logic. However, a few people have requsted a KnownHostsCommand option that allows the output of a subprocess to be used in addition to the usual known_hosts. Would this work for you?> Secondly, would there be any alteration to the requirement for a > "HostCertificate" CA-signed public key (from a private "HostKey") on > sshd receiving servers?I don't understand what you mean here. Could you elabourate? -d
Rory Campbell-Lange
2020-Jun-17 06:17 UTC
client host certificates and receiving host configuration
On 17/06/20, Damien Miller (djm at mindrot.org) wrote:> > Firstly, given a host CA signing key on the sshagentca server, would an > > appropriately constructed host certificate added to a forwarded agent > > replace the necessity for a '@cert-authority' line in a user's known_hosts > > file? > > I'm not sure I want to add yet another path (the agent) to ssh's already > twisty host key verification logic. However, a few people have requsted > a KnownHostsCommand option that allows the output of a subprocess to > be used in addition to the usual known_hosts. Would this work for you? > > > Secondly, would there be any alteration to the requirement for a > > "HostCertificate" CA-signed public key (from a private "HostKey") on > > sshd receiving servers? > > I don't understand what you mean here. Could you elabourate?My apologies for the poor explanation. Let me try again. Adding a user certificate to a client forwarded agent allows that client to use that certificate to authenticate to servers with TrustedUserCAKeys set to the public key used to sign the certificate. What would host certificates added to a client forwarded agent give one (if any), and what part of the normal set of configuration requirements* does it help with? * normal config : @cert-authority in the client's ~/.ssh/known_hosts; setup of appropriate HostCertificate directives on receiving hosts Thanks very much Rory