Hi,
On Fri, Sep 05, 2025 at 11:45:33AM +0200, Jan Schermer wrote:
> I am not that familiar with HostbasedAuthentication, or rather how it was/is actually used and what the background is.
> To me, the whole thing with SSHKeySign looks like the server could actually SSH back to the client(???s server), have the server sign/verify it (sort of out-of-band) and then accept/reject the original authentication, not sure if something like that is behind this design or not but that???s why my thoughts went for verifying the hostname by forward DNS lookup???
The server will never SSH back. There is a suid binary on the client
(ssh-keysign) which will take the client's hostkeys and sign a challenge
with them. It needs to be suid because a normal user's ssh has no
access to the client's private host keys.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert@xxxxxxxxxxxxxx
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
