sshd providing only public host certificates

[Leroy Tennison]

 Sorry for the late reply and thanks so much for your response, the information (and caveat about downgrade) is good to know, I appreciate it.
    On Wednesday, November 19, 2025 at 07:00:27 PM CST, Damien Miller <djm at mindrot.org> wrote:   

 

On Tue, 18 Nov 2025, Leroy Tennison via openssh-unix-dev wrote:

> Based on man sshd_config for 9.6p1 this appears to be impossible.  The
> reason I'm asking is that I would like to switch to only certificate
> authentication for hosts and control it from the server side.  I
> realize I can't necessarily control client side mis-configuration
> (or potential MITMs) but I would like to be able to "encourage" all
> clients to convert to exclusively signature-based host authentication
> by not allowing connection unless they were configured to use the
> @cert-authority marker.  A goal is to be able to say "If you're
> prompted to accept a host key the answer is no". If this isn't
> possible please consider it an enhancement request.  If it is please
> tell me how, I'm not understanding how based on reading the man pages
> and, although web searches explain how to set this up, I didn't find
> anything about enforcing it.  Thanks.

You can make a server offer only certificate keys via
HostKeyAlgorithms, e.g

> HostKeyAlgorithms ssh-ed25519-cert-v01 at openssh.com

(customise as per the key types you're offering)

However Note that the default behaviour for OpenSSH's ssh client is
to automatically downgrade a certificate to a regular key when
certificate verification fails, and to fallback to the usual
known_hosts matching.

There are several ways to effectively disable this, including:

> StrictHostkeyChecking yes
or
> UserKnownHostsFile none

(doesn't turn off the downgrade, but effectively disables trusting
the result)

> HostKeyAlgorithms ssh-ed25519-cert-v01 at openssh.com

On the client should also work in openssh-9.8 or later.

-d