Can an ssh certificate have an IP address as principal?
by berndbausch from LinuxQuestions.org on (#4TCYN)
I am experimenting with SSH certificates as an alternative to key-based authentication. Currently, I am able to authenticate the host I am accessing via SSH; i.e. I don't get the The authenticity of host 'blabla' can't be established message anymore. Success!
However, no success when I access the host via its IP address:
Code:$ ssh -vvv 192.168.1.16
...
debug1: Server host certificate: ssh-rsa-cert-v01@openssh.com SHA256:kfcwi9X8T4nMRw1OM0xDXETGcqjU26/zbM+KqNB6CKw, serial 0 ID "hostkey_odroid" CA ssh-rsa SHA256:BmLWnPGoPg2Edyk2NsZGQ62lm7Cae6j5bOj3uKvXzcs valid from 2019-10-30T10:36:00 to 2020-10-28T10:37:07
debug2: Server host certificate hostname: odroid.home
debug2: Server host certificate hostname: odroid
debug2: Server host certificate hostname: homeserver.home
debug2: Server host certificate hostname: homeserver
debug2: Server host certificate hostname: 192.168.1.16
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug1: No matching CA found. Retry with plain key
The authenticity of host '192.168.1.16 (192.168.1.16)' can't be established.
RSA key fingerprint is SHA256:kfcwi9X8T4nMRw1OM0xDXETGcqjU26/zbM+KqNB6CKw.
Are you sure you want to continue connecting (yes/no)?As can be seen, the certificate includes the IP address in its principal list. Now I wonder if IP addresses just don't work, or if they can be made to work with additional steps?
However, no success when I access the host via its IP address:
Code:$ ssh -vvv 192.168.1.16
...
debug1: Server host certificate: ssh-rsa-cert-v01@openssh.com SHA256:kfcwi9X8T4nMRw1OM0xDXETGcqjU26/zbM+KqNB6CKw, serial 0 ID "hostkey_odroid" CA ssh-rsa SHA256:BmLWnPGoPg2Edyk2NsZGQ62lm7Cae6j5bOj3uKvXzcs valid from 2019-10-30T10:36:00 to 2020-10-28T10:37:07
debug2: Server host certificate hostname: odroid.home
debug2: Server host certificate hostname: odroid
debug2: Server host certificate hostname: homeserver.home
debug2: Server host certificate hostname: homeserver
debug2: Server host certificate hostname: 192.168.1.16
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug1: No matching CA found. Retry with plain key
The authenticity of host '192.168.1.16 (192.168.1.16)' can't be established.
RSA key fingerprint is SHA256:kfcwi9X8T4nMRw1OM0xDXETGcqjU26/zbM+KqNB6CKw.
Are you sure you want to continue connecting (yes/no)?As can be seen, the certificate includes the IP address in its principal list. Now I wonder if IP addresses just don't work, or if they can be made to work with additional steps?