On 12/12/2016 09:09 AM, Damien Miller wrote:> On Fri, 9 Dec 2016, Harald Dunkel wrote:
>
>> Hi folks,
>>
>> maybe I am too blind to see, but would it be possible to
>> avoid extra entries in known_hosts, if the remote host
>> has a signed public key matching a @cert-authority line?
>> Something like
>>
>> Host *
>> HashKnownHosts unsigned
>>
>> This could help to keep the known_hosts file small and
>> yet get all the unsigned public keys in.
>
> Certificates aren't added to known_hosts when the CA is trusted,
> so this is pretty much already the behaviour.
>
> -d
>
I'm not talking about the signed certificates, but the host keys.
Sample session:
% cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr root at ca.example.com
@cert-authority *.hosting.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf root at
dex02.hosting.example.com
% ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts.ca dpcl064 echo
"hello, world"
Warning: Permanently added 'dpcl064' (RSA) to the list of known hosts.
hello, world
% 551} cat .ssh/known_hosts.ca
@cert-authority *.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr root at ca.example.com
@cert-authority *.hosting.example.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf root at
dex02.hosting.example.com
|1|enWm+4uvYU/G0qgjuYP0TpxIk3M=|MpKwoY+HIrUJbcR4vrNH1xYxWT4= ssh-rsa
AAAAB3NzaC1yc2EAAAADAQAB...I2bbm6C52Uga3TBWQ7F+xG0Wd5k1I+KMJnJ
Regards
Harri