Contributed by deanna on from the building a better ssh dept.
Daniel Hartmeier recently submitted to the OpenBSD tech mailing list a very interesting addition to OpenSSH, a PKI whose goal is to simplify host and user key administration.
While reading this, keep in mind that this is still in review, many have stated their opinions and criticism, and the code isn't imported in CVS right now. I'd also like to point out that the work dhartmei@ has done was sponsored by Allamanda Networks AG.
The starting point of all of this seems to be the state of key handling at large sites: a complete mess.
Of course various efforts exist (such as the ssh-lpk patch) to try and solve this situation. Mostly host and user keys are handled by a in-house solution at large sites (most of which involve a well-known distribution method such as rsync, rdist or cfengine). The basic problem with centralizing user and host keys is that your repository needs to be up at all times (which is why the ssh-lpk patch is problematic) and when half of your network is down, you really don't want to be scratching your head not understanding why you can't log-in to the machines that are still up.
So basically a good PKI needs to attend to these issues:
- Handle the role of the known_hosts file
- Handle the role of the authorized_keys file
- Be network independant
- Provide a way of quickly and sanely revoking keys
- Rely on lightweight protocols, keep complicated libraries out of OpenSSH
dharmei@ implemented all of the above, and provided a patch to implement the feature. The functionality is dubbed certkey and relies on a CA created by ssh-keygen, and subsequent host and user keys created against this CA.
This PKI being network independant, the CA needs to be distributed to all hosts.
Bob Beck pointed out that this implementation had the flaw every PKI has, it does not provide a way of revoking keys quickly, in case of compromise. This was promptly fixed, a simple key validation daemon is now available ( announcement).
This project looks very promising and will probably be useful even at small sites.
(Comments are closed)