Hi, we're looking to reduce the number of host lists that need to be kept in sync in our system. (There are quite a few of them all over the place) OpenSSH CAs are an obvious solution for not having to keep all host keys in sync in /etc/ssh/known_hosts, however, while OpenSSH does support using a CA in conjunction with hostbased authentication, it still requires a list of all authorized host names in the rhosts / shosts file. That does make sense, as known_hosts is of course primarily for, well, knowing host keys, and doesn't say anything about trusting them for hostbased authentication, so for hostbased using a @cert-authority here is functionally the same as just listing all issued public keys directly. While that's an improvement over having to keep both authorized_keys and shosts up to date, but as the whole point of a CA mechanism is to delegate trust, shosts seems a bit redundant in this case. It seems to me like there's a missing piece here, something like an /etc/ssh/authorized_keys, which would allow you to write something in the spirit of cert-authority,hosts="*.mycluster.foo.bar" ssh-... which would then permit hostbased authentication for hosts with a valid certificate matching the hostname pattern without passing further shosts checks. Cheers, Marian
Rory Campbell-Lange
2023-Nov-10 00:34 UTC
@cert-authority for hostbased auth - sans shosts?
On 09/11/23, Marian Beermann (public at enkore.de) wrote:> ... while OpenSSH does support using a CA in conjunction with hostbased > authentication, it still requires a list of all authorized host names in the > rhosts / shosts file.I'm not familiar with the use of .rhosts/.shosts, but I don't think those are needed at all with a machine or per-user known_hosts file/files utilizing host certificates. The known_hosts file can have patterns such as the following: @cert-authority *.example.com ecdsa-sha2-nistp256 AAAAE2V... Would accept the host certificate authority for *.example.com. The "Hostnames" field can be expanded as needed, and can enclude hashed hostnames. See: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication#4._Updating_Clients_to_Acknowledge_the_Designated_Certificate_Authority Another example (from the sshd man page) cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... Could that work for you? Rory