bugzilla-daemon at mindrot.org
2025-Aug-11 15:21 UTC
[Bug 3854] New: Add option "destination-address=address_list" to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=3854
Bug ID: 3854
Summary: Add option "destination-address=address_list" to
ssh-keygen
Product: Portable OpenSSH
Version: 10.0p2
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: ced at infomaniak.com
Hi,
When creating a certificate with the command ssh-keygen, we see that we
can pass the "-O" options that will be integrated within the
certicate.
I?d like to have a new options which could be called
destination-address
destination-address=address_list
Restrict the destination addresses to which the certificate is
considered valid. The address_list is a comma-separated list of one or
more address/netmask pairs in CIDR format.
Since now, we wouldn?t have the need of such options, as these options
were used in authorized_keys as as the authorized_keys was de facto
installed on a specific machine.
That way, when creating a certificat I could restrict to which server
the ssh-key can connect.
Regards,
cED
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Aug-12 00:59 UTC
[Bug 3854] Add option "destination-address=address_list" to ssh-keygen
https://bugzilla.mindrot.org/show_bug.cgi?id=3854
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Certificates don't work that way, though there is a third-party
extension that lets you do what you want:
https://github.com/google/hiba
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.