On Mon, Oct 14, 2024 at 04:29:56PM +0100, Matthew Garrett wrote: > There's currently no way to express trust for an SSH certificate CA other > than by manually adding it to known_hosts. This patch modifies the automatic > key write-out behaviour on user verification to associate the hostname with > the CA rather than the host key, allowing environments making use of > certificates to update (potentially compromised) host keys without needing > to modify client configuration or force users to update their known_hosts. Oh, and a couple of use-cases I forgot to mention - transparent association of a CA key with a hostname also allows for either transient hosts behind the same hostname without needing to retain private key material, and also makes it possible to have multiple hosts behind the same hostname without having to share key material. This seems especially useful for allowing hardware-backed key material to be used in more complex scenarios than are currently feasible. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev