The note is appreciated. This patch is now available from github, as https://github.com/charles-dyfis-net/openssh-portable/compare/openssh:773dda2...charles-dyfis-net:host-key-alias-cert-check and as inline plaintext below. >From 367fd8323d864daaf486047850f93c2167c66f37 Mon Sep 17 00:00:00 2001 From: Charles Duffy <charles@xxxxxxxxxxxxxx> Date: Tue, 17 Feb 2015 09:49:32 -0600 Subject: [PATCH] Allow HostKeyAlias to match a host certificate principal if HostName does not --- sshconnect.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sshconnect.c b/sshconnect.c index df921be..666c3ff 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -902,7 +902,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", host_found->file, host_found->line); if (want_cert && !check_host_cert(hostname, host_key)) - goto fail; + if (options.host_key_alias == NULL || !check_host_cert(options.host_key_alias, host_key)) + goto fail; if (options.check_host_ip && ip_status == HOST_NEW) { if (readonly || want_cert) logit("%s host key for IP address " -- 2.0.0 On Thu, Feb 19, 2015 at 3:32 PM, Ángel González <keisial@xxxxxxxxx> wrote: > On 19/02/15 19:37, Charles Duffy wrote: >> >> A trivial patch implementing this behavior is attached. > > Also stripped by the mailing list. Make sure you are attaching it with the > proper mime type. > > > PS: That seems a good idea. > > > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev