[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hostbased authentication in libssh


Andreas,

I looked into implementing hostbased authentication in libssh. For now I
am going to take a different route for our project but I do have a
comment/question, in case I or someone else gets around to it.

Hostbased authentication depends on the private host keys which a user
program cannot read. Openssh¹s client execs a binary called ssh-keysign
which has the SUID bit set and then authenticates with the help of that
program. Could libssl be dependent on the system binary for ssh-keysign or
would a LGPL2 version of ssh-keysign need to be written to be packaged
with libssl?

Unfortunately this might be out of the scope of libssl because I don¹t
know of a neat solution. Relaying on ssh-keysign is questionable because I
have not looked to see if that is a standard interface in ssh or if it is
just the whim of openssh and could change, I suspect it is the latter. If
libssh includes a ssh-keysign like binary then the binary would need to
installed in a known location on the system for the library to be fully
functional.

Thank you,
-- 
Chris DeJager




-----Original Message-----
From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
Reply-To: "libssh@xxxxxxxxxx" <libssh@xxxxxxxxxx>
Date: Tuesday, February 14, 2017 at 2:56 AM
To: "libssh@xxxxxxxxxx" <libssh@xxxxxxxxxx>
Subject: Re: hostbased authentication in libssh

>On Thursday, 9 February 2017 23:46:35 CET DeJager, Christopher Alan wrote:
>> According to http://api.libssh.org/stable/index.html libssh supports
>> hostbased authentication. However, I have yet to be successful using it
>>and
>> cannot find an example of someone else doing it.
>> 
>> I am trying to write a client to connect to an openssh-server v6.7. I
>>did
>> not see an authentication function related to hostbased in
>> http://api.libssh.org/stable/group__libssh__auth.html so I tried loading
>> the private key for the client with ssh_pki_import_privkey_file() and
>>then
>> authenticating with ssh_userauth_publickey(). I have also tried
>> ssh_userauth_none() and skipping that step. I did successfully
>>authenticate
>> with a public key and with a password.
>> 
>> Is hostbased authentication supported on the client and if so how would
>>I go
>> about it?
>
>That is an error on the page. We do not support it but maybe you're
>interested 
>to implement it?
>
>Shouldn't be very hard to add it.
>
>
>Cheers,
>
>
>	Andreas
>
>
>-- 
>Andreas Schneider                   GPG-ID: CC014E3D
>www.cryptomilk.org                asn@xxxxxxxxxxxxxx
>


Follow-Ups:
Re: hostbased authentication in libsshAris Adamantiadis <aris@xxxxxxxxxxxx>
References:
hostbased authentication in libssh"DeJager, Christopher Alan" <dejager@xxxxxxxx>
Re: hostbased authentication in libsshAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org