I guess [1] is the answer, and it is not merged yet. [1] http://serverfault.com/questions/669718/connecting-to-a-pool-member-over-ssh-w-a-host-certificate-good-for-the-pool-nam On Sun, Feb 22, 2015 at 11:56 PM, Alon Bar-Lev <alon.barlev@xxxxxxxxx> wrote: > Hello, > > Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. > > For example, I have multiple hosts that all serves as monitoring > server, I would like to trust only these hosts, so I enrol a > certificate for these using "monitoring" principal, so I can connect > only to these. > > At first I thought we can do Match statement at ssh_config, however, > the Match is being evaluated before connection, so remove principal > name is not available at this stage. > > From what I do understand the known_hosts format enables CA key and > DNS mask of matched hosts. > > There is no way to match against the certificate principal name. > > I thought about something like: > > @cert-authority > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY> > > If the above cannot be done, do you think it will be helpful? > > BTW: It would also be handy to allow specify CA key within separate > file, something like the following: > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub > > Regards, > Alon Bar-Lev. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev