ssh_config equivalent of sshd_config's TrustedUserCAKeys

Peter Moody mindrot at
Sat Jun 29 01:37:08 AEST 2019

confusingly enough, it's in the sshd manpage (at least on my system).
Look for the section titled:


specifically, you want to know about the @cert-authority marker

tl;dr, you can put something the following in your
/etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts

@cert-authority * ssh-ed25519 <pubkey1>
@cert-authority * ssh-ed25519 <pubkey2>

and that tells your clients to accept certs signed by pubkey1 when
connecting to hosts with HostNames like * and to accept
certs signed by pubkey2 when connecting to hosts with HostNames



On Fri, Jun 28, 2019 at 7:22 AM Daniel Kahn Gillmor
<dkg at> wrote:
> Hi all--
> The CERTIFICATES section of ssh-keygen(1) says:
>      For certificates to be used for user or host authentication, the CA
>      public key must be trusted by sshd(8) or ssh(1).  Please refer to
>      those manual pages for details.
> For sshd(8) (and sshd_config(5)) i've found TrustedUserCAKeys, but
> ssh(1) and ssh_config(5) doesn't appear to have an equivalent directive.
> i am considering using OpenSSH certificates for clients to authenticate
> hosts within a domain (so i want to sequester this directive within a
> Match stanza), and i don't want to grant "trust" to a certificate
> authority outside of the zone i know it should be scoped to.
> I've also run "strings /usr/bin/ssh | grep -i trust" but i don't see
> anything that looks promising there either :/
> Thanks for any pointers you can give!
>        --dkg
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list