On Sun, 22 Feb 2015, Alon Bar-Lev wrote: > Hello, > > Maybe I did not understand correctly the PKI trust, so forgive me if I > am wrong. > > For example, I have multiple hosts that all serves as monitoring > server, I would like to trust only these hosts, so I enrol a > certificate for these using "monitoring" principal, so I can connect > only to these. > > At first I thought we can do Match statement at ssh_config, however, > the Match is being evaluated before connection, so remove principal > name is not available at this stage. > > From what I do understand the known_hosts format enables CA key and > DNS mask of matched hosts. > > There is no way to match against the certificate principal name. > > I thought about something like: > > @cert-authority > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY> I don't think I wasnt to add more indirection to known_hosts; the file is already a mess of tangled, overlapping features and I'm terrified to add more :/ Someone sent me a patch to allow certificate hostname principal matching against HostkeyAlias if matching against the exact hostname failed. This might be an alternative way for you to achieve what you want. What do you think? > If the above cannot be done, do you think it will be helpful? > > BTW: It would also be handy to allow specify CA key within separate > file, something like the following: > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub I'm not sure it's worth the extra complexity in known_hosts parsing, given that it's already possible to specify multiple user/system known_hosts files. E.g. you could do: UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_mydomain with the latter listing the CA keys. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev