On 17/06/20, Damien Miller (djm@xxxxxxxxxxx) wrote: > > Firstly, given a host CA signing key on the sshagentca server, would an > > appropriately constructed host certificate added to a forwarded agent > > replace the necessity for a '@cert-authority' line in a user's known_hosts > > file? > > I'm not sure I want to add yet another path (the agent) to ssh's already > twisty host key verification logic. However, a few people have requsted > a KnownHostsCommand option that allows the output of a subprocess to > be used in addition to the usual known_hosts. Would this work for you? > > > Secondly, would there be any alteration to the requirement for a > > "HostCertificate" CA-signed public key (from a private "HostKey") on > > sshd receiving servers? > > I don't understand what you mean here. Could you elabourate? My apologies for the poor explanation. Let me try again. Adding a user certificate to a client forwarded agent allows that client to use that certificate to authenticate to servers with TrustedUserCAKeys set to the public key used to sign the certificate. What would host certificates added to a client forwarded agent give one (if any), and what part of the normal set of configuration requirements* does it help with? * normal config : @cert-authority in the client's ~/.ssh/known_hosts; setup of appropriate HostCertificate directives on receiving hosts Thanks very much Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev