[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hostbased authentication in libssh


I looked into implementing hostbased authentication in libssh. For now I
am going to take a different route for our project but I do have a
comment/question, in case I or someone else gets around to it.

Hostbased authentication depends on the private host keys which a user
program cannot read. Openssh¹s client execs a binary called ssh-keysign
which has the SUID bit set and then authenticates with the help of that
program. Could libssl be dependent on the system binary for ssh-keysign or
would a LGPL2 version of ssh-keysign need to be written to be packaged
with libssl?

Unfortunately this might be out of the scope of libssl because I don¹t
know of a neat solution. Relaying on ssh-keysign is questionable because I
have not looked to see if that is a standard interface in ssh or if it is
just the whim of openssh and could change, I suspect it is the latter. If
libssh includes a ssh-keysign like binary then the binary would need to
installed in a known location on the system for the library to be fully

Thank you,
Chris DeJager

-----Original Message-----
From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
Reply-To: "libssh@xxxxxxxxxx" <libssh@xxxxxxxxxx>
Date: Tuesday, February 14, 2017 at 2:56 AM
To: "libssh@xxxxxxxxxx" <libssh@xxxxxxxxxx>
Subject: Re: hostbased authentication in libssh

>On Thursday, 9 February 2017 23:46:35 CET DeJager, Christopher Alan wrote:
>> According to http://api.libssh.org/stable/index.html libssh supports
>> hostbased authentication. However, I have yet to be successful using it
>> cannot find an example of someone else doing it.
>> I am trying to write a client to connect to an openssh-server v6.7. I
>> not see an authentication function related to hostbased in
>> http://api.libssh.org/stable/group__libssh__auth.html so I tried loading
>> the private key for the client with ssh_pki_import_privkey_file() and
>> authenticating with ssh_userauth_publickey(). I have also tried
>> ssh_userauth_none() and skipping that step. I did successfully
>> with a public key and with a password.
>> Is hostbased authentication supported on the client and if so how would
>>I go
>> about it?
>That is an error on the page. We do not support it but maybe you're
>to implement it?
>Shouldn't be very hard to add it.
>	Andreas
>Andreas Schneider                   GPG-ID: CC014E3D
>www.cryptomilk.org                asn@xxxxxxxxxxxxxx

Re: hostbased authentication in libsshAris Adamantiadis <aris@xxxxxxxxxxxx>
hostbased authentication in libssh"DeJager, Christopher Alan" <dejager@xxxxxxxx>
Re: hostbased authentication in libsshAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org