HashKnownHosts vs @cert-authority
Damien Miller
djm at mindrot.org
Mon Dec 12 19:09:20 AEDT 2016
On Fri, 9 Dec 2016, Harald Dunkel wrote:
> Hi folks,
>
> maybe I am too blind to see, but would it be possible to
> avoid extra entries in known_hosts, if the remote host
> has a signed public key matching a @cert-authority line?
> Something like
>
> Host *
> HashKnownHosts unsigned
>
> This could help to keep the known_hosts file small and
> yet get all the unsigned public keys in.
Certificates aren't added to known_hosts when the CA is trusted,
so this is pretty much already the behaviour.
-d
More information about the openssh-unix-dev
mailing list