Mailing List Archive

ssh_config equivalent of sshd_config's TrustedUserCAKeys
Hi all--

The CERTIFICATES section of ssh-keygen(1) says:

For certificates to be used for user or host authentication, the CA
public key must be trusted by sshd(8) or ssh(1). Please refer to
those manual pages for details.

For sshd(8) (and sshd_config(5)) i've found TrustedUserCAKeys, but
ssh(1) and ssh_config(5) doesn't appear to have an equivalent directive.

i am considering using OpenSSH certificates for clients to authenticate
hosts within a domain (so i want to sequester this directive within a
Match stanza), and i don't want to grant "trust" to a certificate
authority outside of the zone i know it should be scoped to.

I've also run "strings /usr/bin/ssh | grep -i trust" but i don't see
anything that looks promising there either :/

Thanks for any pointers you can give!

--dkg
Re: ssh_config equivalent of sshd_config's TrustedUserCAKeys [ In reply to ]
confusingly enough, it's in the sshd manpage (at least on my system).
Look for the section titled:

SSH_KNOWN_HOSTS FILE FORMAT

specifically, you want to know about the @cert-authority marker

tl;dr, you can put something the following in your
/etc/ssh/ssh_known_hosts or ~/.ssh/known_hosts

@cert-authority *.example.com ssh-ed25519 <pubkey1>
@cert-authority *.not-example.com ssh-ed25519 <pubkey2>

and that tells your clients to accept certs signed by pubkey1 when
connecting to hosts with HostNames like *.example.com and to accept
certs signed by pubkey2 when connecting to hosts with HostNames
*.not-example.com.

HTH

Cheers,
peter

On Fri, Jun 28, 2019 at 7:22 AM Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
>
> Hi all--
>
> The CERTIFICATES section of ssh-keygen(1) says:
>
> For certificates to be used for user or host authentication, the CA
> public key must be trusted by sshd(8) or ssh(1). Please refer to
> those manual pages for details.
>
> For sshd(8) (and sshd_config(5)) i've found TrustedUserCAKeys, but
> ssh(1) and ssh_config(5) doesn't appear to have an equivalent directive.
>
> i am considering using OpenSSH certificates for clients to authenticate
> hosts within a domain (so i want to sequester this directive within a
> Match stanza), and i don't want to grant "trust" to a certificate
> authority outside of the zone i know it should be scoped to.
>
> I've also run "strings /usr/bin/ssh | grep -i trust" but i don't see
> anything that looks promising there either :/
>
> Thanks for any pointers you can give!
>
> --dkg
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev