ssh-keysign does not honor host canonicalization
Carson Gaspar
carson at taltos.org
Thu Jul 25 06:55:46 AEST 2019
We attempted to put "EnableSSHKeysign yes" in a "Match canonical host"
block and discovered that it didn't work. Looking at the code, ssh does
2 config passes handling canonicalization, but ssh-keysign does not. I'm
not sure if ssh-keysign should implement the same 2-pass logic, or just
pass want_final_pass=1 to read_config_file, but I'm pretty sure the
current behaviour is undesirable.
More information about the openssh-unix-dev
mailing list