x/crypto/ssh: Support OpenSSH protocol extension for host key rotation #14114
Comments
|
in the handshake, the server can only offer one key of each type to the client. Hence, it doesn't make much sense to change AddHostKey. The document you describe is a global request/response call, which can be implemented in the application layer, in particular, the request will be sent to the request channel returned from https://godoc.org/golang.org/x/crypto/ssh#NewServerConn . Since the SSH library doesn't include a real server application layer implementation, it's not obvious where to hook it up. I have the following suggestion: you could write a set of functions that will let a client issue the request, let the server send a set of new keys, and let the client verify them. If you implement both sides, you can unittest them against each other. Then people can install these functions into clients or servers as they please. I think these functions should live outside the SSH package proper, since it is an application level mechanism, and not really a protocol extension. If we have a library, we could put it into standard library as (say) x/crypto/ssh/keyrotate/ I am strongly in favor of putting any and all application extensions into separate packages, rather than adding them to the ssh library. This makes the SSH package more maintainable, and easier to understand to callers. |
OpenSSH supports a protocol extension for host key rotation. While it probably isn't widely deployed yet, the world would be better if it were. See this blog post for background information.
The
AddHostKeyfunction currently overwrites host keys of the same algorithm. I suspect this could be extended to track all keys and offer them to clients using the "hostkeys-00@openssh.com" message.The text was updated successfully, but these errors were encountered: