@cert-authority for hostbased auth - sans shosts?

Rory Campbell-Lange rory at campbell-lange.net
Fri Nov 10 11:34:45 AEDT 2023

On 09/11/23, Marian Beermann (public at enkore.de) wrote:
> ... while OpenSSH does support using a CA in conjunction with hostbased
> authentication, it still requires a list of all authorized host names in the
> rhosts / shosts file.

I'm not familiar with the use of .rhosts/.shosts, but I don't think those are needed at all with a machine or per-user known_hosts file/files utilizing host certificates.

The known_hosts file can have patterns such as the following:

    @cert-authority *.example.com ecdsa-sha2-nistp256 AAAAE2V...

Would accept the host certificate authority for *.example.com. The "Hostnames" field can be expanded as needed, and can enclude hashed hostnames.


Another example (from the sshd man page)

    cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...

Could that work for you?


More information about the openssh-unix-dev mailing list