client host certificates and receiving host configuration

Rory Campbell-Lange rory at
Wed Jun 17 05:36:56 AEST 2020

I'm working on a small server written in Go to add short-lived user
certificates to the forwarded agents of authorized users.

This seems to work quite well for accessing sshd servers with the
appropriately configured "TrustedUserCAKeys" directive.

I have been in a debate about how similarly adding host certificates to
forwarded agents could help mitigate man-in-the-middle attacks. This has
raised a few questions.

Firstly, given a host CA signing key on the sshagentca server, would an
appropriately constructed host certificate added to a forwarded agent
replace the necessity for a '@cert-authority' line in a user's known_hosts

Secondly, would there be any alteration to the requirement for a
"HostCertificate" CA-signed public key (from a private "HostKey") on
sshd receiving servers?

Many thanks

More information about the openssh-unix-dev mailing list