On Mon, Feb 23, 2015 at 7:35 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > > On Sun, 22 Feb 2015, Alon Bar-Lev wrote: > > > Hello, > > > > Maybe I did not understand correctly the PKI trust, so forgive me if I > > am wrong. > > > > For example, I have multiple hosts that all serves as monitoring > > server, I would like to trust only these hosts, so I enrol a > > certificate for these using "monitoring" principal, so I can connect > > only to these. > > > > At first I thought we can do Match statement at ssh_config, however, > > the Match is being evaluated before connection, so remove principal > > name is not available at this stage. > > > > From what I do understand the known_hosts format enables CA key and > > DNS mask of matched hosts. > > > > There is no way to match against the certificate principal name. > > > > I thought about something like: > > > > @cert-authority > > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY> > > I don't think I wasnt to add more indirection to known_hosts; the file > is already a mess of tangled, overlapping features and I'm terrified to > add more :/ > > Someone sent me a patch to allow certificate hostname principal matching > against HostkeyAlias if matching against the exact hostname failed. > This might be an alternative way for you to achieve what you want. > What do you think? yes, I found this patch after I posted this :) it would be a solution. > > > If the above cannot be done, do you think it will be helpful? > > > > BTW: It would also be handy to allow specify CA key within separate > > file, something like the following: > > > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub > > I'm not sure it's worth the extra complexity in known_hosts parsing, > given that it's already possible to specify multiple user/system > known_hosts files. > > E.g. you could do: > > UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_mydomain > > with the latter listing the CA keys. I am thinking of avoiding specify the ca key over and over within the file. I mean, instead of having one large selection of valid principal enable principal per line, while simplify the ca key. Another issue is that unlike the sshd_config which can point to a file, I cannot have static configuration for the ssh client side because I must generate the known_hosts based on the CA key that I receive during setup. Not critical, for this I have a solution. Thanks! Alon _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev