HashKnownHosts vs @cert-authority

Harald Dunkel harald.dunkel at aixigo.de
Mon Dec 12 23:16:52 AEDT 2016


On 12/12/2016 09:09 AM, Damien Miller wrote:
> On Fri, 9 Dec 2016, Harald Dunkel wrote:
> 
>> Hi folks,
>>
>> maybe I am too blind to see, but would it be possible to
>> avoid extra entries in known_hosts, if the remote host
>> has a signed public key matching a @cert-authority line?
>> Something like
>>
>> 	Host *
>> 		HashKnownHosts unsigned
>>
>> This could help to keep the known_hosts file small and
>> yet get all the unsigned public keys in.
> 
> Certificates aren't added to known_hosts when the CA is trusted,
> so this is pretty much already the behaviour.
> 
> -d
> 

I'm not talking about the signed certificates, but the host keys.
Sample session:

% cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr root at ca.example.com
@cert-authority *.hosting.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf root at dex02.hosting.example.com
% ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts.ca dpcl064 echo "hello, world"
Warning: Permanently added 'dpcl064' (RSA) to the list of known hosts.
hello, world
% 551} cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr root at ca.example.com
@cert-authority *.hosting.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf root at dex02.hosting.example.com
|1|enWm+4uvYU/G0qgjuYP0TpxIk3M=|MpKwoY+HIrUJbcR4vrNH1xYxWT4= ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...I2bbm6C52Uga3TBWQ7F+xG0Wd5k1I+KMJnJ


Regards
Harri



More information about the openssh-unix-dev mailing list