![]() So instead, I implemented all those pieces in parallel with each other, switching back and forth between all the different parts of the code, and revising each part whenever work on another part revealed the need for changes. Maybe somebody somewhere can plan a piece of work like this with perfect foresight – but I'm not that person. And I couldn't implement it one subsystem at a time in strict order, either (say, crypto layer, then SSH layer, then UI), because all the design requirements on those systems affect each other, and I had no confidence that I wouldn't get half way through one layer and realise I should have done another layer differently. So to implement a feature as far-reaching as this, I wasn't going to be able to just keep my brain focused on one system. (That's one reason OpenSSH designed it this way, rather than using the more popular but far more complicated X.509 format.) The only part that wasn't too hard was the low-level cryptography, because OpenSSH's certificate format is based on public-key algorithms and data formats that an SSH implementation has to support already to work at all. This feature impacts almost every part of the code except the terminal emulation, and most of those parts needed thought about how to do it right. The SSH code that decides whether to accept a host key needed to be restructured there were design challenges in Pageant, in the user interface, and in the configuration data format. ![]() The mere fact that some keys are certificates at all required changes in the internal APIs for public keys, and so did the idea that multiple public key types are strongly related to each other (the certified and uncertified versions of the same algorithm). The typical feature is only hard in one place.īut certificate support is hard almost everywhere. Perhaps they might need a small piece of support elsewhere (say, a checkbox in the GUI to turn the new feature on, or an identifier in the SSH protocol to negotiate the new crypto algorithm), but those parts are usually easy. After the work was done, they asked if I'd write something about it.Ī lot of new features in PuTTY are ‘local’, in the sense that they mostly affect just one part of the code – say, the SSH layer, or the cryptography, or the terminal. My sponsor and lead partner for this work was Teleport. In 2022, PuTTY gained support for the OpenSSH certificate system, allowing you to configure your client to accept host keys automatically if they're signed by a local CA, and pass certified user keys to servers that are configured to accept them. Implementing OpenSSH certificate support in PuTTY Implementing OpenSSH certificate support in PuTTY
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |