[FEAT] - please support signed host keys

[harridu]

Is this feature for paramiko acting as a client or a server?

Client

What functionality does this feature request relate to?

known_hosts

For client-side features, does this relate to a specific type of SSH server?

No response

If you're using paramiko as part of another tool, which tool/version?

No response

Desired behavior

Host keys are very hard to verify. I would guess that nobody really does. To mitigate the problem openssh supports signed host keys. Apparently paramiko throws an internal error if the peers host key is signed. At least dput-ng (the Debian package based upon paramiko) does.

It would be very nice if paramiko could support signed host keys as well.

Anything else?

No response

[bskinn]

#771 and the associated #2270 should allow paramiko to at least parse entries in known_hosts that have the @cert-authority marker.

Are you also requesting that paramiko implement the ability to verify the host cert against a CA?

Or will the "it will at least parse ok" functionality of #2270 suffice for your needs?

[smammy]

No idea what @harridu's intent was, but I'd like to request that Paramiko implement the ability to verify the host cert against a CA. 😁

[bskinn]

No idea what @harridu's intent was, but I'd like to request that Paramiko implement the ability to verify the host cert against a CA. 😁

Noted. You may consider the feature requested. 😄

[harridu]

Sorry, I should have provided more information right from the start. Paramiko throws an exception, if the host key is signed:

SFTP error uploading to myhost.example.com: BadHostKeyException('myhost.example.com', <paramiko.ed25519key.Ed25519Key object at 0x7f5d06ba3f10>, <paramiko.rsakey.RSAKey object at 0x7f5d07539390>)

To create a signed host key using openssh, please check the various guidelines on the net, eg. https://www.lorier.net/docs/ssh-ca.html. I have to admit, I have no idea whether this signed host key thing is a standard feature supported by other ssh implementations as well.

Paramiko is version 2.12.0, as included in Debian 12. Python is version 3.11.2

Hope this helps.

[bskinn]

Hm... as best I understand, signed key creation would be yet another feature... so, a third:

1. Don't explode when a key is signed; use it successfully, but without verification (Add markers to known_hosts parser re paramiko#771 #2270)
2. Actually CA-verify a signed key, beyond just using it (this feature request ticket)
3. Provide functionality to create signed host keys

To make sure I understand - are you requesting that paramiko support (3), @harridu? Or were you only describing key creation for context?

---

My two cents... I'm skeptical of whether bitprophet would consider (3) as in-scope for paramiko. I don't think the project is aiming to be a Python interface for the totality of the OpenSSH tool/suite, just the parts dealing with connecting to and communicating with clients/servers.

[harridu]

I would be happy with (2)