From owner-freebsd-current@FreeBSD.ORG Thu Nov 16 01:05:11 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C82D016A47B for ; Thu, 16 Nov 2006 01:05:11 +0000 (UTC) (envelope-from freebsd-current@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D0CF43D75 for ; Thu, 16 Nov 2006 01:05:06 +0000 (GMT) (envelope-from freebsd-current@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1GkVgc-0007Ds-Jh for freebsd-current@freebsd.org; Thu, 16 Nov 2006 02:05:02 +0100 Received: from wsrcc-nat.wsrcc.com ([64.142.50.231]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 16 Nov 2006 02:05:02 +0100 Received: from wolfgang+gnus200611 by wsrcc-nat.wsrcc.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 16 Nov 2006 02:05:02 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: "Wolfgang S. Rupprecht" Date: Wed, 15 Nov 2006 16:53:55 -0800 Organization: W S Rupprecht Computer Consulting, Fremont CA Lines: 40 Message-ID: <87odr8i53w.fsf@arbol.wsrcc.com> References: <20061115142820.GB14649@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: wsrcc-nat.wsrcc.com X-WSRCC: User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) Cancel-Lock: sha1:za2CuzvPV9XNUyvSzjpNFmSUPes= Sender: news X-Mailman-Approved-At: Thu, 16 Nov 2006 02:13:41 +0000 Cc: tech@openbsd.org, openssh-unix-dev@mindrot.org, freebsd-current@freebsd.org Subject: Re: OpenSSH Certkey (PKI) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 01:05:11 -0000 Daniel Hartmeier writes: > This patch against OpenBSD -current adds a simple form of PKI to > OpenSSH. We'll be using it at work. Sounds like something that was needed for a while. > +A host certificate is a guarantee made by the CA that a host public key is > +valid. When a host public key carries a valid certificate, the client can > +use the host public key without asking the user to confirm the fingerprint > +manually and through out-of-band communication the first time. The CA takes > +the responsibility of verifying host keys, and users do no longer need to > +maintain known_hosts files of their own. This confuses the whole authentication vs. authorization concepts. authentication - "May I please see your drivers license?" authorization - "That's a valid license but I don't see your name on the list to go in." I would hate to have my ssh allow anyone in just because we used the same CA. I still see the authorized_keys file as having a very important role even if the first layer defense is to check if the certificate is signed by a CA I trust. > +The CA, specifically the holder of the CA private key (and its password, if it > +is password encrypted), holds broad control over hosts and user accounts set > +up in this way. Should the CA private key become compromised, all user > +accounts become compromised. > + > +There is no way to revoke a certificate once it has been published, the > +certificate is valid until it reaches the expiry date set by the CA. This fix is in the bag once authorized_keys gets consulted even for certificates. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/