sshd providing only public host certificates
Leroy Tennison
leroy.tennison at verizon.net
Thu Nov 20 10:18:51 AEDT 2025
Thanks for the reply, although I was hoping for additional options this does make sense. Managing client configurations is challenging but may be the only option.
On Tuesday, November 18, 2025 at 02:38:48 AM CST, Brian Candler <b.candler at pobox.com> wrote:
On 18/11/2025 05:51, Leroy Tennison via openssh-unix-dev wrote:
> A goal is to be able to say "If you're prompted to accept a host key the answer is no"
I think
StrictHostKeyChecking yes
in ssh_config (client side) will achieve this.
The server has no way of knowing whether the client is validating its
host key by stashing a copy of it, or by looking at its certificate (or
indeed, validating it at all). Therefore, there's nothing meaningful you
could do in sshd_config.
At best, sshd could send a message saying "please only validate my host
key using its certificate". But it has no way to enforce that actually
takes place. If client policy enforcement is important to you, then you
need to make ssh_config centrally managed.
More information about the openssh-unix-dev
mailing list