sshd providing only public host certificates
Brian Candler
b.candler at pobox.com
Tue Nov 18 19:38:45 AEDT 2025
On 18/11/2025 05:51, Leroy Tennison via openssh-unix-dev wrote:
> A goal is to be able to say "If you're prompted to accept a host key the answer is no"
I think
StrictHostKeyChecking yes
in ssh_config (client side) will achieve this.
The server has no way of knowing whether the client is validating its
host key by stashing a copy of it, or by looking at its certificate (or
indeed, validating it at all). Therefore, there's nothing meaningful you
could do in sshd_config.
At best, sshd could send a message saying "please only validate my host
key using its certificate". But it has no way to enforce that actually
takes place. If client policy enforcement is important to you, then you
need to make ssh_config centrally managed.
More information about the openssh-unix-dev
mailing list