On Fri, 10 Nov 2023, Rory Campbell-Lange wrote: > On 09/11/23, Marian Beermann (public@xxxxxxxxx) wrote: > > ... while OpenSSH does support using a CA in conjunction with hostbased > > authentication, it still requires a list of all authorized host names in the > > rhosts / shosts file. > > I'm not familiar with the use of .rhosts/.shosts, but I don't think those are needed at all with a machine or per-user known_hosts file/files utilizing host certificates. > > The known_hosts file can have patterns such as the following: > > @cert-authority *.example.com ecdsa-sha2-nistp256 AAAAE2V... > > Would accept the host certificate authority for *.example.com. The "Hostnames" field can be expanded as needed, and can enclude hashed hostnames. > > See: > https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication#4._Updating_Clients_to_Acknowledge_the_Designated_Certificate_Authority > > Another example (from the sshd man page) > > cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... > > Could that work for you? AIUI what he is asking for is a file that combines the host identity of the system-wide ssh_known_hosts file with the host/user authorisation of shosts in a single file. This might be a little cleaner, but IMO not so much so as to be highly motivating (personally). -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
