ssh_config equivalent of sshd_config's TrustedUserCAKeys

Daniel Kahn Gillmor dkg at
Sat Jun 29 00:19:11 AEST 2019

Hi all--

The CERTIFICATES section of ssh-keygen(1) says:

     For certificates to be used for user or host authentication, the CA
     public key must be trusted by sshd(8) or ssh(1).  Please refer to
     those manual pages for details.

For sshd(8) (and sshd_config(5)) i've found TrustedUserCAKeys, but
ssh(1) and ssh_config(5) doesn't appear to have an equivalent directive.

i am considering using OpenSSH certificates for clients to authenticate
hosts within a domain (so i want to sequester this directive within a
Match stanza), and i don't want to grant "trust" to a certificate
authority outside of the zone i know it should be scoped to.

I've also run "strings /usr/bin/ssh | grep -i trust" but i don't see
anything that looks promising there either :/

Thanks for any pointers you can give!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list