Hello, Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. For example, I have multiple hosts that all serves as monitoring server, I would like to trust only these hosts, so I enrol a certificate for these using "monitoring" principal, so I can connect only to these. At first I thought we can do Match statement at ssh_config, however, the Match is being evaluated before connection, so remove principal name is not available at this stage. >From what I do understand the known_hosts format enables CA key and DNS mask of matched hosts. There is no way to match against the certificate principal name. I thought about something like: @cert-authority *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY> If the above cannot be done, do you think it will be helpful? BTW: It would also be handy to allow specify CA key within separate file, something like the following: @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub Regards, Alon Bar-Lev. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev