Hi folks, maybe I am too blind to see, but would it be possible to avoid extra entries in known_hosts, if the remote host has a signed public key matching a @cert-authority line? Something like Host * HashKnownHosts unsigned This could help to keep the known_hosts file small and yet get all the unsigned public keys in. Just a suggestion, of course. Regards Harri
On Fri, 9 Dec 2016, Harald Dunkel wrote:> Hi folks, > > maybe I am too blind to see, but would it be possible to > avoid extra entries in known_hosts, if the remote host > has a signed public key matching a @cert-authority line? > Something like > > Host * > HashKnownHosts unsigned > > This could help to keep the known_hosts file small and > yet get all the unsigned public keys in.Certificates aren't added to known_hosts when the CA is trusted, so this is pretty much already the behaviour. -d
On 12/12/2016 09:09 AM, Damien Miller wrote:> On Fri, 9 Dec 2016, Harald Dunkel wrote: > >> Hi folks, >> >> maybe I am too blind to see, but would it be possible to >> avoid extra entries in known_hosts, if the remote host >> has a signed public key matching a @cert-authority line? >> Something like >> >> Host * >> HashKnownHosts unsigned >> >> This could help to keep the known_hosts file small and >> yet get all the unsigned public keys in. > > Certificates aren't added to known_hosts when the CA is trusted, > so this is pretty much already the behaviour. > > -d >I'm not talking about the signed certificates, but the host keys. Sample session: % cat .ssh/known_hosts.ca @cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr root at ca.example.com @cert-authority *.hosting.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf root at dex02.hosting.example.com % ssh -o UserKnownHostsFile=${HOME}/.ssh/known_hosts.ca dpcl064 echo "hello, world" Warning: Permanently added 'dpcl064' (RSA) to the list of known hosts. hello, world % 551} cat .ssh/known_hosts.ca @cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC...5yM9EUO40GTkTDdm/tqXLr root at ca.example.com @cert-authority *.hosting.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQA...w83RVE37kLAaoGXjQ8mKp4wuUmRuxf root at dex02.hosting.example.com |1|enWm+4uvYU/G0qgjuYP0TpxIk3M=|MpKwoY+HIrUJbcR4vrNH1xYxWT4= ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...I2bbm6C52Uga3TBWQ7F+xG0Wd5k1I+KMJnJ Regards Harri