HashKnownHosts vs @cert-authority

Damien Miller djm at mindrot.org
Mon Dec 12 19:09:20 AEDT 2016

On Fri, 9 Dec 2016, Harald Dunkel wrote:

> Hi folks,
> maybe I am too blind to see, but would it be possible to
> avoid extra entries in known_hosts, if the remote host
> has a signed public key matching a @cert-authority line?
> Something like
> 	Host *
> 		HashKnownHosts unsigned
> This could help to keep the known_hosts file small and
> yet get all the unsigned public keys in.

Certificates aren't added to known_hosts when the CA is trusted,
so this is pretty much already the behaviour.


More information about the openssh-unix-dev mailing list