[Samba] ssh with certificates - was: AW: Samba Bind DLZ and Zone signing

[Rowland Penny]

On Mon, 11 Dec 2023 07:38:40 +0000
Owen DeLong via samba <samba at lists.samba.org> wrote:

> To be clear, DNS only provides HOST identification validation (the
> host’s key fingerprints are stored as RDATA in an SSHFP DNS record).
> 
> This avoids the need to validate the server’s key on first connection
> or delete it from the known_hosts file when it changes, but it has
> nothing to do with user authentication.
> 
> Owen
> 
> On Dec 10, 2023, at 11:31, Joachim Lindenberg via samba
> <samba at lists.samba.org> wrote:
> 
> Out of curiosity: I am wondering who recommends ssh key management
> via dnssec? Afaik it only addresses host
> authenticati<x-msg://249/#link>͏​​‌͏
> <external.png><https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=6576124994468b18cfe88e9f&lang=en>
> 
> 
> Out of curiosity:
> I am wondering who recommends ssh key management via dnssec? Afaik it
> only addresses host authentication but not user authenticaion, and
> putty (the most popular client on Windows) does not support it at
> all. I personally experimented with Kerberos, but there are also gaps
> in support, in particular Windows ssh server does not support it. I
> haven´t tried ssh with certificates yet, but the descriptions I have
> seen look ok, only that standard x.509 certificates cannot be reused.
> What prevents you (or others) to use certificates? Joachim
> 

There appears to be big problems with trying to use SSHFP with Active
Directory.

OpenSSH would prefer you to use certificates, they do not appear to
have the code to use SSHFP with DNSSEC.

Windows requires 2012 before you can even add the DNSSEC keys and even
then it is highly experimental.

Entra (was Azure) doesn't currently support DNSSEC.

Bit of a dead duck if you ask me and probably a very niche case.

Of course, if someone wants to write the code to make it work, then
great, but I think they would have to liaise with:

Samba
OpenSSH
Bind
Microsoft

Rowland