Multiple Signatures on SSH-Hostkeys

Damien Miller djm at
Tue Oct 22 11:43:26 AEDT 2019

On Mon, 21 Oct 2019, Bergner, Jan, A-SCM-CIM-SD wrote:

> Hello, OpenSSH-wizards.
> In our company, we have looked into SSH-HostKey-signing in order to
> realize automated access without the need to accept the server's
> hostkey, manually.
> I got it to work with the HostCertificate-directive inside the
> sshd_config.
> Now, I was wondering whether it is possible to have multiple
> signatures, so I can, for example, sign the hostkey once with a
> company-internal CA to prove to my colleagues that the server belongs
> to our company and to sign again with another CA that belongs to say
> a specific project so all the servers in this project can be sure to
> talk to another project server.

First off: typically host key certificates are made to identify a server
back to some root of trust and not to implement any sort of host-level
access control, which is what your mention of "project servers" makes
me think of. If you want to control which hosts are able to connect to
which other hosts, then host certificates are not the feature you're
looking for.

With tha being said, unfortunately, the SSH protocol is limited to
sending a single hostkey from the the server to the client during
connection establishment. The client gets to choose they type of the
hostkey only.

So having multiple signatures over the same type of host key isn't
practical. You can specify multiple keys of the same type in sshd_config
but the server will only send the first one that was specified.

I think the best you could do at present if you want host keys signed
by different CA is to choose different types of host key (e.g. ecdsa vs
ed25519), get one type signed by one CA and the other by the other CA,
and configure the clients to prefer the key type corresponding to the CA
that they expect. It's not a great solution, but it would probably work.

> Furthermore, I did not find out, how I would sign different hostkey-
> types. (Like RSA and ECDSA.)

It's definitely possible to sign hostkeys of one type with a CA key of
another type (just don't use DSA).


More information about the openssh-unix-dev mailing list