PKI host based principal

Damien Miller djm at
Tue Feb 24 04:35:44 AEDT 2015

On Sun, 22 Feb 2015, Alon Bar-Lev wrote:

> Hello,
> Maybe I did not understand correctly the PKI trust, so forgive me if I
> am wrong.
> For example, I have multiple hosts that all serves as monitoring
> server, I would like to trust only these hosts, so I enrol a
> certificate for these using "monitoring" principal, so I can connect
> only to these.
> At first I thought we can do Match statement at ssh_config, however,
> the Match is being evaluated before connection, so remove principal
> name is not available at this stage.
> From what I do understand the known_hosts format enables CA key and
> DNS mask of matched hosts.
> There is no way to match against the certificate principal name.
> I thought about something like:
> @cert-authority
> *,*,principal=xxx,principal=yyy <CA_KEY>

I don't think I wasnt to add more indirection to known_hosts; the file
is already a mess of tangled, overlapping features and I'm terrified to
add more :/

Someone sent me a patch to allow certificate hostname principal matching
against HostkeyAlias if matching against the exact hostname failed. 
This  might be an alternative way for you to achieve what you want.
What do you think?

> If the above cannot be done, do you think it will be helpful?
> BTW: It would also be handy to allow specify CA key within separate
> file, something like the following:
> @cert-authority-file *,*,principal=xxx /etc/.../

I'm not sure it's worth the extra complexity in known_hosts parsing,
given that it's already possible to specify multiple user/system
known_hosts files.

E.g. you could do:

UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_mydomain

with the latter listing the CA keys.


More information about the openssh-unix-dev mailing list