client host certificates and receiving host configuration

Damien Miller djm at
Wed Jun 17 10:31:06 AEST 2020

On Tue, 16 Jun 2020, Rory Campbell-Lange wrote:

> I'm working on a small server written in Go to add short-lived user
> certificates to the forwarded agents of authorized users.
> This seems to work quite well for accessing sshd servers with the
> appropriately configured "TrustedUserCAKeys" directive.
> I have been in a debate about how similarly adding host certificates to
> forwarded agents could help mitigate man-in-the-middle attacks. This has
> raised a few questions.
> Firstly, given a host CA signing key on the sshagentca server, would an
> appropriately constructed host certificate added to a forwarded agent
> replace the necessity for a '@cert-authority' line in a user's known_hosts
> file?

I'm not sure I want to add yet another path (the agent) to ssh's already
twisty host key verification logic. However, a few people have requsted
a KnownHostsCommand option that allows the output of a subprocess to
be used in addition to the usual known_hosts. Would this work for you?

> Secondly, would there be any alteration to the requirement for a
> "HostCertificate" CA-signed public key (from a private "HostKey") on
> sshd receiving servers?

I don't understand what you mean here. Could you elabourate?


More information about the openssh-unix-dev mailing list