ssh_config equivalent of sshd_config's TrustedUserCAKeys
Peter Moody
mindrot at hda3.com
Sat Jun 29 01:37:08 AEST 2019
confusingly enough, it's in the sshd manpage (at least on my system).
Look for the section titled:
SSH_KNOWN_HOSTS FILE FORMAT
specifically, you want to know about the @cert-authority marker
tl;dr, you can put something the following in your
/etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts
@cert-authority *.example.com ssh-ed25519 <pubkey1>
@cert-authority *.not-example.com ssh-ed25519 <pubkey2>
and that tells your clients to accept certs signed by pubkey1 when
connecting to hosts with HostNames like *.example.com and to accept
certs signed by pubkey2 when connecting to hosts with HostNames
*.not-example.com.
HTH
Cheers,
peter
On Fri, Jun 28, 2019 at 7:22 AM Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
>
> Hi all--
>
> The CERTIFICATES section of ssh-keygen(1) says:
>
> For certificates to be used for user or host authentication, the CA
> public key must be trusted by sshd(8) or ssh(1). Please refer to
> those manual pages for details.
>
> For sshd(8) (and sshd_config(5)) i've found TrustedUserCAKeys, but
> ssh(1) and ssh_config(5) doesn't appear to have an equivalent directive.
>
> i am considering using OpenSSH certificates for clients to authenticate
> hosts within a domain (so i want to sequester this directive within a
> Match stanza), and i don't want to grant "trust" to a certificate
> authority outside of the zone i know it should be scoped to.
>
> I've also run "strings /usr/bin/ssh | grep -i trust" but i don't see
> anything that looks promising there either :/
>
> Thanks for any pointers you can give!
>
> --dkg
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list