3
Garrett: We need better support for SSH host certificates
source link: https://lwn.net/Articles/927251/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
We need better support for SSH host certificates [LWN.net]
User:
Password: |
|
Garrett: We need better support for SSH host certificates
[Posted March 24, 2023 by corbet]
Matthew Garrett looks at
the recent disclosure of GitHub's private host key, how it probably
came about, and what a better approach to key management might look like.
(Log in to post comments)
The main problem is that client tooling just doesn't handle this well. OpenSSH has no way to do TOFU for CAs, just the keys themselves. This means there's no way to do a git clone ssh://[email protected]/whatever and get a prompt asking you to trust Github's CA. Instead, you need to add a @cert-authority github.com (key) line to your known_hosts file by hand, and since approximately nobody's going to do that there's only marginal benefit in going to the effort to implement this infrastructure. The most important thing we can do to improve the security of the SSH ecosystem is to make it easier to use certificates, and that means improving the behaviour of the clients.
(Log in to post comments)
Copyright © 2023, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK