[Samba] ssh with certificates - was: AW: Samba Bind DLZ and Zone signing

Sami Hulkko sahulkko at gmail.com
Sun Dec 10 19:38:35 UTC 2023 

Hi,

I am after host to client authentication that is the first sentence in 
the mail. There is already Kerberos5 in samba and there are other user 
to host authentication methods for that. To authenticate HOST to CLIENT, 
DNSSEC is standard preferred method. Putty is year 2000 stuff and 
current is Windows Terminal. Try it out it is free of charge in Windows 
Store and supports great WSL2 Visual Studio and other software.

SH

On 10/12/2023 21.31, Joachim Lindenberg via samba wrote:
> Out of curiosity:
> I am wondering who recommends ssh key management via dnssec? Afaik it only addresses host authentication but not user authenticaion, and putty (the most popular client on Windows) does not support it at all. I personally experimented with Kerberos, but there are also gaps in support, in particular Windows ssh server does not support it.
> I haven´t tried ssh with certificates yet, but the descriptions I have seen look ok, only that standard x.509 certificates cannot be reused.
> What prevents you (or others) to use certificates?
> Joachim
>
> -----Ursprüngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Sami Hulkko via samba
> Gesendet: Sonntag, 10. Dezember 2023 20:04
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba Bind DLZ and Zone signing
>
> Hi,
>
> One can use ssh verification of hosts with DNS provided HOST KEY (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that requires DNSSEC zone signing. It is recommended practice to authenticate SSH hosts to clients and preferred over more complex  SSL Certificate method. Secure signed zone is perquisite for SSH to approve the host ID provided by DNS.
>
> SH
>
> On 10/12/2023 18.50, Rowland Penny via samba wrote:
>> On Sun, 10 Dec 2023 17:23:19 +0200
>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> Is there any way of signing the zones with  zone-signing key? How
>>> would one add  add zone-signing key and key signing key to DLZ
>>> database? The Windows 11 Pro RSAT tool for nameserver do not accept
>>> key addition and states unauthorized.
>>>
>> I think you need to explain what you are trying to achieve. As far as
>> I am aware, Windows clients can update their own dns records in AD and
>> Unix clients need to use kerberos. so just what are you trying to do
>> and why ?
>>
>> Rowland
>>
>>
> --
> Me worry? That's why my first CD was Peter Gabriel SO....
>
> Sami Hulkko
> sahulkko at gmail.com
> sahulkko at icloud.com
> samihulkko at quantum-black-hole.com
> +358 45 85693 919
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
-- 
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919

More information about the samba mailing list