You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Basically the current thought is to support two setups:
SSH style, lxd and lxc both generate their own certificates. On first connection to a server, the fingerprint is shown and the user prompted about it. Then they proceed to password authentication (or not if already trusted by the server) and their public key is added to the server's trust store.
PKI style, certificates are generated centrally and manually added to the server and client, including a CA. All checks are performed against the CA, including certificate type checking and the CommonName field. If all checks out, the connection is allowed without user intervention, if something doesn't, the connection fails. The user would then be able to override the failing behaviour through environment or a similarly difficult path.
There appears to be no guidance as to how certificates should be created, checked, and presented (how and when) to users.
The text was updated successfully, but these errors were encountered: