destination-address in a ssh certificate
Damien Miller
djm at mindrot.org
Thu Oct 16 09:50:07 AEDT 2025
On Tue, 14 Oct 2025, Briner Cédric (DIN) via openssh-unix-dev wrote:
> Hi,
>
> We are wanting to use ssh certificate. We would like to create a certificate that tells this ssh pub key can only connect to this server with this account.
>
> Reading the manual, we have the strong feeling that what could be inserted in the certificate are the information that used to be in the authorized_keys.
>
> But historically speaking, they were no need need, at that time, to have a field named "destination-address" as this was implicit. That information wasn't needed as the authorized_keys instructed only one machine, The machine where the authorized_keys was installed on.
>
> So how could I do this ?
In addition to the answer that you already received, you might want to
check out https://github.com/google/hiba - this is a set of extensions
to the SSH certificate format to allow authorisation to pools of hosts
to be embedded in the certificate.
-d
More information about the openssh-unix-dev
mailing list