Daniel Kahn Gillmor
2019-Jun-28 14:19 UTC
ssh_config equivalent of sshd_config's TrustedUserCAKeys
Hi all--
The CERTIFICATES section of ssh-keygen(1) says:
For certificates to be used for user or host authentication, the CA
public key must be trusted by sshd(8) or ssh(1). Please refer to
those manual pages for details.
For sshd(8) (and sshd_config(5)) i've found TrustedUserCAKeys, but
ssh(1) and ssh_config(5) doesn't appear to have an equivalent directive.
i am considering using OpenSSH certificates for clients to authenticate
hosts within a domain (so i want to sequester this directive within a
Match stanza), and i don't want to grant "trust" to a certificate
authority outside of the zone i know it should be scoped to.
I've also run "strings /usr/bin/ssh | grep -i trust" but i
don't see
anything that looks promising there either :/
Thanks for any pointers you can give!
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190628/e872afaf/attachment.asc>
Peter Moody
2019-Jun-28 15:37 UTC
ssh_config equivalent of sshd_config's TrustedUserCAKeys
confusingly enough, it's in the sshd manpage (at least on my system). Look for the section titled: SSH_KNOWN_HOSTS FILE FORMAT specifically, you want to know about the @cert-authority marker tl;dr, you can put something the following in your /etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts @cert-authority *.example.com ssh-ed25519 <pubkey1> @cert-authority *.not-example.com ssh-ed25519 <pubkey2> and that tells your clients to accept certs signed by pubkey1 when connecting to hosts with HostNames like *.example.com and to accept certs signed by pubkey2 when connecting to hosts with HostNames *.not-example.com. HTH Cheers, peter On Fri, Jun 28, 2019 at 7:22 AM Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:> > Hi all-- > > The CERTIFICATES section of ssh-keygen(1) says: > > For certificates to be used for user or host authentication, the CA > public key must be trusted by sshd(8) or ssh(1). Please refer to > those manual pages for details. > > For sshd(8) (and sshd_config(5)) i've found TrustedUserCAKeys, but > ssh(1) and ssh_config(5) doesn't appear to have an equivalent directive. > > i am considering using OpenSSH certificates for clients to authenticate > hosts within a domain (so i want to sequester this directive within a > Match stanza), and i don't want to grant "trust" to a certificate > authority outside of the zone i know it should be scoped to. > > I've also run "strings /usr/bin/ssh | grep -i trust" but i don't see > anything that looks promising there either :/ > > Thanks for any pointers you can give! > > --dkg > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev