[Samba] ssh with certificates - was: AW: Samba Bind DLZ and Zone signing

Owen DeLong Owen.Delong at ff.com
Mon Dec 11 07:38:40 UTC 2023


To be clear, DNS only provides HOST identification validation (the host’s key fingerprints are stored as RDATA in an SSHFP DNS record).

This avoids the need to validate the server’s key on first connection or delete it from the known_hosts file when it changes, but it has nothing
to do with user authentication.

Owen

On Dec 10, 2023, at 11:31, Joachim Lindenberg via samba <samba at lists.samba.org> wrote:

Out of curiosity: I am wondering who recommends ssh key management via dnssec? Afaik it only addresses host authenticati<x-msg://249/#link>͏​​‌͏
<external.png><https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=6576124994468b18cfe88e9f&lang=en>


Out of curiosity:
I am wondering who recommends ssh key management via dnssec? Afaik it only addresses host authentication but not user authenticaion, and putty (the most popular client on Windows) does not support it at all. I personally experimented with Kerberos, but there are also gaps in support, in particular Windows ssh server does not support it.
I haven´t tried ssh with certificates yet, but the descriptions I have seen look ok, only that standard x.509 certificates cannot be reused.
What prevents you (or others) to use certificates?
Joachim

-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Sami Hulkko via samba
Gesendet: Sonntag, 10. Dezember 2023 20:04
An: samba at lists.samba.org
Betreff: Re: [Samba] Samba Bind DLZ and Zone signing

Hi,

One can use ssh verification of hosts with DNS provided HOST KEY (the one in ~/.ssh/id_rsa.pub and one in /etc/ssh/ folder for host) that requires DNSSEC zone signing. It is recommended practice to authenticate SSH hosts to clients and preferred over more complex  SSL Certificate method. Secure signed zone is perquisite for SSH to approve the host ID provided by DNS.

SH

On 10/12/2023 18.50, Rowland Penny via samba wrote:
> On Sun, 10 Dec 2023 17:23:19 +0200
> Sami Hulkko via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> Is there any way of signing the zones with  zone-signing key? How
>> would one add  add zone-signing key and key signing key to DLZ
>> database? The Windows 11 Pro RSAT tool for nameserver do not accept
>> key addition and states unauthorized.
>>
> I think you need to explain what you are trying to achieve. As far as
> I am aware, Windows clients can update their own dns records in AD and
> Unix clients need to use kerberos. so just what are you trying to do
> and why ?
>
> Rowland
>
>
--
Me worry? That's why my first CD was Peter Gabriel SO....

Sami Hulkko
sahulkko at gmail.com
sahulkko at icloud.com
samihulkko at quantum-black-hole.com
+358 45 85693 919


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list