client host certificates and receiving host configuration

Rory Campbell-Lange rory at
Wed Jun 17 16:17:24 AEST 2020

On 17/06/20, Damien Miller (djm at wrote:
> > Firstly, given a host CA signing key on the sshagentca server, would an
> > appropriately constructed host certificate added to a forwarded agent
> > replace the necessity for a '@cert-authority' line in a user's known_hosts
> > file?
> I'm not sure I want to add yet another path (the agent) to ssh's already
> twisty host key verification logic. However, a few people have requsted
> a KnownHostsCommand option that allows the output of a subprocess to
> be used in addition to the usual known_hosts. Would this work for you?
> > Secondly, would there be any alteration to the requirement for a
> > "HostCertificate" CA-signed public key (from a private "HostKey") on
> > sshd receiving servers?
> I don't understand what you mean here. Could you elabourate?

My apologies for the poor explanation. Let me try again.

Adding a user certificate to a client forwarded agent allows that client
to use that certificate to authenticate to servers with
TrustedUserCAKeys set to the public key used to sign the certificate.

What would host certificates added to a client forwarded agent give one
(if any), and what part of the normal set of configuration requirements*
does it help with?

* normal config : @cert-authority in the client's ~/.ssh/known_hosts;
  setup of appropriate HostCertificate directives on receiving hosts

Thanks very much

More information about the openssh-unix-dev mailing list