Owen DeLong
2023-Dec-11 07:38 UTC
[Samba] ssh with certificates - was: AW: Samba Bind DLZ and Zone signing
To be clear, DNS only provides HOST identification validation (the host?s key fingerprints are stored as RDATA in an SSHFP DNS record). This avoids the need to validate the server?s key on first connection or delete it from the known_hosts file when it changes, but it has nothing to do with user authentication. Owen On Dec 10, 2023, at 11:31, Joachim Lindenberg via samba <samba at lists.samba.org> wrote: Out of curiosity: I am wondering who recommends ssh key management via dnssec? Afaik it only addresses host authenticati<x-msg://249/#link>?????? <external.png><https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=6576124994468b18cfe88e9f&lang=en> Out of curiosity: I am wondering who recommends ssh key management via dnssec? Afaik it only addresses host authentication but not user authenticaion, and putty (the most popular client on Windows) does not support it at all. I personally experimented with Kerberos, but there are also gaps in support, in particular Windows ssh server does not support it. I haven?t tried ssh with certificates yet, but the descriptions I have seen look ok, only that standard x.509 certificates cannot be reused. What prevents you (or others) to use certificates? Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Sami Hulkko via samba Gesendet: Sonntag, 10. Dezember 2023 20:04 An: samba at lists.samba.org Betreff: Re: [Samba] Samba Bind DLZ and Zone signing Hi, One can use ssh verification of hosts with DNS provided HOST KEY (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that requires DNSSEC zone signing. It is recommended practice to authenticate SSH hosts to clients and preferred over more complex SSL Certificate method. Secure signed zone is perquisite for SSH to approve the host ID provided by DNS. SH On 10/12/2023 18.50, Rowland Penny via samba wrote:> On Sun, 10 Dec 2023 17:23:19 +0200 > Sami Hulkko via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> Is there any way of signing the zones with zone-signing key? How >> would one add add zone-signing key and key signing key to DLZ >> database? The Windows 11 Pro RSAT tool for nameserver do not accept >> key addition and states unauthorized. >> > I think you need to explain what you are trying to achieve. As far as > I am aware, Windows clients can update their own dns records in AD and > Unix clients need to use kerberos. so just what are you trying to do > and why ? > > Rowland > >-- Me worry? That's why my first CD was Peter Gabriel SO.... Sami Hulkko sahulkko at gmail.com sahulkko at icloud.com samihulkko at quantum-black-hole.com +358 45 85693 919 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2023-Dec-11 09:15 UTC
[Samba] ssh with certificates - was: AW: Samba Bind DLZ and Zone signing
On Mon, 11 Dec 2023 07:38:40 +0000 Owen DeLong via samba <samba at lists.samba.org> wrote:> To be clear, DNS only provides HOST identification validation (the > host?s key fingerprints are stored as RDATA in an SSHFP DNS record). > > This avoids the need to validate the server?s key on first connection > or delete it from the known_hosts file when it changes, but it has > nothing to do with user authentication. > > Owen > > On Dec 10, 2023, at 11:31, Joachim Lindenberg via samba > <samba at lists.samba.org> wrote: > > Out of curiosity: I am wondering who recommends ssh key management > via dnssec? Afaik it only addresses host > authenticati<x-msg://249/#link>?????? > <external.png><https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=6576124994468b18cfe88e9f&lang=en> > > > Out of curiosity: > I am wondering who recommends ssh key management via dnssec? Afaik it > only addresses host authentication but not user authenticaion, and > putty (the most popular client on Windows) does not support it at > all. I personally experimented with Kerberos, but there are also gaps > in support, in particular Windows ssh server does not support it. I > haven?t tried ssh with certificates yet, but the descriptions I have > seen look ok, only that standard x.509 certificates cannot be reused. > What prevents you (or others) to use certificates? Joachim >There appears to be big problems with trying to use SSHFP with Active Directory. OpenSSH would prefer you to use certificates, they do not appear to have the code to use SSHFP with DNSSEC. Windows requires 2012 before you can even add the DNSSEC keys and even then it is highly experimental. Entra (was Azure) doesn't currently support DNSSEC. Bit of a dead duck if you ask me and probably a very niche case. Of course, if someone wants to write the code to make it work, then great, but I think they would have to liaise with: Samba OpenSSH Bind Microsoft Rowland