confusingly enough, it's in the sshd manpage (at least on my system). Look for the section titled: SSH_KNOWN_HOSTS FILE FORMAT specifically, you want to know about the @cert-authority marker tl;dr, you can put something the following in your /etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts @cert-authority *.example.com ssh-ed25519 <pubkey1> @cert-authority *.not-example.com ssh-ed25519 <pubkey2> and that tells your clients to accept certs signed by pubkey1 when connecting to hosts with HostNames like *.example.com and to accept certs signed by pubkey2 when connecting to hosts with HostNames *.not-example.com. HTH Cheers, peter On Fri, Jun 28, 2019 at 7:22 AM Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> wrote: > > Hi all-- > > The CERTIFICATES section of ssh-keygen(1) says: > > For certificates to be used for user or host authentication, the CA > public key must be trusted by sshd(8) or ssh(1). Please refer to > those manual pages for details. > > For sshd(8) (and sshd_config(5)) i've found TrustedUserCAKeys, but > ssh(1) and ssh_config(5) doesn't appear to have an equivalent directive. > > i am considering using OpenSSH certificates for clients to authenticate > hosts within a domain (so i want to sequester this directive within a > Match stanza), and i don't want to grant "trust" to a certificate > authority outside of the zone i know it should be scoped to. > > I've also run "strings /usr/bin/ssh | grep -i trust" but i don't see > anything that looks promising there either :/ > > Thanks for any pointers you can give! > > --dkg > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
