From owner-freebsd-current@FreeBSD.ORG Thu Nov 16 16:45:23 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D854716A412 for ; Thu, 16 Nov 2006 16:45:23 +0000 (UTC) (envelope-from freebsd-current@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 152F943D5A for ; Thu, 16 Nov 2006 16:45:23 +0000 (GMT) (envelope-from freebsd-current@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1GkkLq-0000Gv-TR for freebsd-current@freebsd.org; Thu, 16 Nov 2006 17:44:34 +0100 Received: from wsrcc-nat.wsrcc.com ([64.142.50.231]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 16 Nov 2006 17:44:34 +0100 Received: from wolfgang+gnus200611 by wsrcc-nat.wsrcc.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 16 Nov 2006 17:44:34 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: "Wolfgang S. Rupprecht" Date: Thu, 16 Nov 2006 08:43:20 -0800 Organization: W S Rupprecht Computer Consulting, Fremont CA Lines: 23 Message-ID: <87ac2rjqaf.fsf@arbol.wsrcc.com> References: <20061115142820.GB14649@insomnia.benzedrine.cx> <87odr8i53w.fsf@arbol.wsrcc.com> <20061116135627.GA26343@tortuga.leo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: wsrcc-nat.wsrcc.com X-WSRCC: User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) Cancel-Lock: sha1:qbGUYo1DViXduXkRetl3eoQTwpo= Sender: news X-Mailman-Approved-At: Thu, 16 Nov 2006 17:10:27 +0000 Cc: tech@openbsd.org, openssh-unix-dev@mindrot.org Subject: Re: OpenSSH Certkey (PKI) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 16:45:23 -0000 Daniel Lang writes: > Are you, by any chance, mixing up "known_hosts" and "authorized_keys"? Oops. I quoted the wrong section. I had meant to quote the section about the user_certificates. This is what I meant to cite: +A user certificate is an authorization made by the CA that the +holder of a specific private key may login to the server as a +specific user, without the need of an authorized_keys file being +present. The CA gains the power to grant individual users access +to the server, and users do no longer need to maintain +authorized_keys files of their own. I don't see a problem with the host certificates methodology. (In fact I'd love to see the known_hosts files fade away as more hosts transition to using host certificates.) Thanks, -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/