known_hosts
に@cert-authority
で登録したホスト名からホスト認証を行う際に全て小文字でチェックしているらしく,
サーバ証明書内のホスト名に大文字が含まれるとコケる. /bin/hostname
等を使う場合は注意が必要. 調整が必要なのはサーバ証明書内のホスト名だけで, known_hosts
等は気にしなくていいようだ.
環境
ito@ito-VirtualBox:~$ ssh -V OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6, OpenSSL 1.0.1f 6 Jan 2014
実行してみる
NG
ito@ito-VirtualBox:~$ sudo ssh-keygen -s ca/ca.key -I ca-test-server -h -n ito-VirtualBox /etc/ssh/ssh_host_rsa_key.pub Signed host key /etc/ssh/ssh_host_rsa_key-cert.pub: id "ca-test-server" serial 0 for ito-VirtualBox valid forever ito@ito-VirtualBox:~$ ssh-keygen -L -f /etc/ssh/ssh_host_rsa_key-cert.pub /etc/ssh/ssh_host_rsa_key-cert.pub: Type: ssh-rsa-cert-v01@openssh.com host certificate Public key: RSA-CERT 8f:3e:82:c9:1f:5e:90:bd:46:09:0d:1d:7c:36:f5:73 Signing CA: RSA 2f:4b:d1:af:a9:f7:94:67:9f:b2:a1:88:d2:b0:85:55 Key ID: "ca-test-server" Serial: 0 Valid: forever Principals: ito-VirtualBox Critical Options: (none) Extensions: (none) ito@ito-VirtualBox:~$ ssh -i client/client.key client@ito-VirtualBox Certificate invalid: name is not a listed principal The authenticity of host 'ito-virtualbox (127.0.1.1)' can't be established. RSA key fingerprint is 8f:3e:82:c9:1f:5e:90:bd:46:09:0d:1d:7c:36:f5:73. Are you sure you want to continue connecting (yes/no)? no Host key verification failed.
OK
ito@ito-VirtualBox:~$ sudo ssh-keygen -s ca/ca.key -I ca-test-server -h -n ito-virtualbox /etc/ssh/ssh_host_rsa_key.pub Signed host key /etc/ssh/ssh_host_rsa_key-cert.pub: id "ca-test-server" serial 0 for ito-virtualbox valid forever ito@ito-VirtualBox:~$ ssh-keygen -L -f /etc/ssh/ssh_host_rsa_key-cert.pub /etc/ssh/ssh_host_rsa_key-cert.pub: Type: ssh-rsa-cert-v01@openssh.com host certificate Public key: RSA-CERT 8f:3e:82:c9:1f:5e:90:bd:46:09:0d:1d:7c:36:f5:73 Signing CA: RSA 2f:4b:d1:af:a9:f7:94:67:9f:b2:a1:88:d2:b0:85:55 Key ID: "ca-test-server" Serial: 0 Valid: forever Principals: ito-virtualbox Critical Options: (none) Extensions: (none) ito@ito-VirtualBox:~$ ssh -i client/client.key client@ito-VirtualBox Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64) * Documentation: https://help.ubuntu.com/ Last login: Tue May 10 15:25:35 2016 from localhost client@ito-VirtualBox:~$
公開鍵認証の初回接続で出てくるような「ホストを信頼してknown_hosts
に追加しますか?」が出ずに, また, 新たにknown_hosts
に追加されるようなことなく接続できればホスト認証成功.