[ssh_x509] logging into server without being asked about host key?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Oct 5 02:16:01 EEST 2012

I think I configured everything correctly but, when logging into a 
server, I'm still asked:

The authenticity of host '[localhost]:8022 ([::1]:8022)' can't be 
RSA+cert key fingerprint is c0:29:82:d8:26:67:94:8e:1c:b3:90:d3:0e:7a:65:ae.
Distinguished name is 
'C=xx,ST=xxxxxxx,L=xxxxxx,O=xxxxxxx,OU=xxxxx,CN=myhost,emailAddress=xxxx at xxxxxx.net'.
Are you sure you want to continue connecting (yes/no)? yes

Is it expected that a properly configured system would ask this?

I ask because, using OpenSSH's native certificates, it's possible to log 
into a server without being prompted, so long as the client's 
known_hosts file has the signing CA's info listed (i.e. @cert-authority 
*.bar.com ssh-rsa AAAAB3[...]== Comment) and the principles in the 
server's cert match the IP/FQDN that the connection was to...


More information about the ssh_x509 mailing list