Contributed by deanna on from the building a better ssh dept.
Daniel Hartmeier recently submitted to the OpenBSD tech mailing list a very interesting addition to OpenSSH, a PKI whose goal is to simplify host and user key administration.
While reading this, keep in mind that this is still in review, many have stated their opinions and criticism, and the code isn't imported in CVS right now. I'd also like to point out that the work dhartmei@ has done was sponsored by Allamanda Networks AG.
The starting point of all of this seems to be the state of key handling at large sites: a complete mess.
Of course various efforts exist (such as the ssh-lpk patch) to try and solve this situation. Mostly host and user keys are handled by a in-house solution at large sites (most of which involve a well-known distribution method such as rsync, rdist or cfengine). The basic problem with centralizing user and host keys is that your repository needs to be up at all times (which is why the ssh-lpk patch is problematic) and when half of your network is down, you really don't want to be scratching your head not understanding why you can't log-in to the machines that are still up.
So basically a good PKI needs to attend to these issues:
- Handle the role of the known_hosts file
- Handle the role of the authorized_keys file
- Be network independant
- Provide a way of quickly and sanely revoking keys
- Rely on lightweight protocols, keep complicated libraries out of OpenSSH
dharmei@ implemented all of the above, and provided a patch to implement the feature. The functionality is dubbed certkey and relies on a CA created by ssh-keygen, and subsequent host and user keys created against this CA.
This PKI being network independant, the CA needs to be distributed to all hosts.
Bob Beck pointed out that this implementation had the flaw every PKI has, it does not provide a way of revoking keys quickly, in case of compromise. This was promptly fixed, a simple key validation daemon is now available ( announcement).
This project looks very promising and will probably be useful even at small sites.
(Comments are closed)
By Brian (66.23.217.200) info@rhemasound.org on www.rhemasound.org
Great job Daniel!!!!!!
By Darrin Chandler (216.9.200.69) dwchandler@stilyagin.com on
The original offline nature of the proposed PKI put me off, but I'm still waiting to see how things shape up. A robust PKI for ssh would be a boon for those who need it.
By baldusi (200.68.102.49) on
Comments
By Anonymous Coward (203.15.102.65) on
-One less thing to keep configured and audited.
-Kerberos is a dog.
By Janne Johansson (130.237.95.193) jj@inet6.se on
We do krb5 auth for host-keys too, but it wont help you if half your network is down, which was one of the major points to this exercise. It helps with the scaling problem of adding new hosts to large sites though.
And it obviously helps if you already are doing krb5, since setting it up would be far more work than any kind of rsync-my-hostkeys solution.
By Amir S Mesry (208.52.133.98) on
Comments
By Joachim Schipper (82.157.194.81) on
Joachim
By Krunch (213.219.187.98) on http://krunch.be/
http://roumenpetrov.info/openssh/
Comments
By Ben Lindstrom (64.122.231.146) mouring@nospam.eviladmin.or on http://eviladmin.org
> http://roumenpetrov.info/openssh/
Ermm.. if I remember this is very different. This just adds in some of the X.509 stuff, but doesn't try to be a complete solutions like what is attempting to be done.
I have to say the idea is interesting. I could see it being very useful even in my new environment.