[Samba] ssh with certificates - was: AW: Samba Bind DLZ and Zone signing
Norbert Hanke
norbert.hanke at gmx.ch
Sun Dec 10 19:53:19 UTC 2023
Off-topic for this list, but you mentioned it. One of the lists
mentioned in https://www.openssh.com/list.html might be a better place
to discuss this.
There is a public patch for OpenSSH that allows to use .x.509
certificates for authentication, see
https://www.roumenpetrov.info/secsh/index.html .
That patch is being maintained since about 20 years, initially by
implementing a proprietary protocol extension. In the meantime that
evolved into a standard protocol described in RFC6187.
It never made it into "standard OpenSSH" probably because there is a
competing certificate standard (not x.509) supported by OpenSSH.
On 10.12.2023 20:31, Joachim Lindenberg via samba wrote:
> Out of curiosity:
> I am wondering who recommends ssh key management via dnssec? Afaik it only addresses host authentication but not user authenticaion, and putty (the most popular client on Windows) does not support it at all. I personally experimented with Kerberos, but there are also gaps in support, in particular Windows ssh server does not support it.
> I haven´t tried ssh with certificates yet, but the descriptions I have seen look ok, only that standard x.509 certificates cannot be reused.
> What prevents you (or others) to use certificates?
> Joachim
>
> -----Ursprüngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Sami Hulkko via samba
> Gesendet: Sonntag, 10. Dezember 2023 20:04
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba Bind DLZ and Zone signing
>
> Hi,
>
> One can use ssh verification of hosts with DNS provided HOST KEY (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that requires DNSSEC zone signing. It is recommended practice to authenticate SSH hosts to clients and preferred over more complex SSL Certificate method. Secure signed zone is perquisite for SSH to approve the host ID provided by DNS.
>
> SH
>
> On 10/12/2023 18.50, Rowland Penny via samba wrote:
>> On Sun, 10 Dec 2023 17:23:19 +0200
>> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>>
>>> Hi,
>>>
>>> Is there any way of signing the zones with zone-signing key? How
>>> would one add add zone-signing key and key signing key to DLZ
>>> database? The Windows 11 Pro RSAT tool for nameserver do not accept
>>> key addition and states unauthorized.
>>>
>> I think you need to explain what you are trying to achieve. As far as
>> I am aware, Windows clients can update their own dns records in AD and
>> Unix clients need to use kerberos. so just what are you trying to do
>> and why ?
>>
>> Rowland
>>
>>
> --
> Me worry? That's why my first CD was Peter Gabriel SO....
>
> Sami Hulkko
> sahulkko at gmail.com
> sahulkko at icloud.com
> samihulkko at quantum-black-hole.com
> +358 45 85693 919
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list