[monkeysphere] tinc-monkeysphere integration
Guus Sliepen
guus at tinc-vpn.org
Mon Dec 17 23:48:54 CET 2012
On Mon, Dec 17, 2012 at 04:45:34PM +0000, Clint Adams wrote:
> On Sun, Dec 16, 2012 at 02:13:02PM +0100, Guus Sliepen wrote:
> > Why do you need multiple keys per node for Monkeysphere?
>
> It is possible for there to be more than one Monkeysphere-validated
> key for a userid, and no way of knowing which of those is the
> "correct" one.
>
> The solution for ssh involves generating an authorized_keys
> file with all valid, matching keys.
Ah, I see.
> Presumably this cannot currently be done with tinc.
The protocol assumes there is only one key, so neither the public keys nor
their fingerprints are exchanged during the authentication phase. Tinc also
expects only one public key to be in a host config file, and if there are
multiple it will only use the first one.
A very dirty hack would be to write a program that continuously reads the log
output from tinc, and when it sees an unsuccesful connection has been made to a
node, it will replace the public key in its host config file with another one.
Since tinc rereads the host config file on every retry, it will use the new key
when trying to reconnect.
But perhaps it's better to ensure that only the key will be used which is
signed by the uid of the corresponding host itself. If there still are multiple
keys, use the one which has the newest signature from the host itself.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20121217/8bf90863/attachment.pgp>
More information about the tinc-devel
mailing list