ssh-keysign does not honor host canonicalization

Carson Gaspar carson at
Thu Jul 25 06:55:46 AEST 2019

We attempted to put "EnableSSHKeysign yes" in a "Match canonical host" 
block and discovered that it didn't work. Looking at the code, ssh does 
2 config passes handling canonicalization, but ssh-keysign does not. I'm 
not sure if ssh-keysign should implement the same 2-pass logic, or just 
pass want_final_pass=1 to read_config_file, but I'm pretty sure the 
current behaviour is undesirable.

More information about the openssh-unix-dev mailing list