[ssh_x509] logging into server without being asked about host key?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Oct 6 12:11:16 EEST 2012

Hi Kent.
> I think I configured everything correctly but, when logging into a 
> server, I'm still asked:
> ----BEGIN----
> The authenticity of host '[localhost]:8022 ([::1]:8022)' can't be 
> established.
> RSA+cert key fingerprint is 
> c0:29:82:d8:26:67:94:8e:1c:b3:90:d3:0e:7a:65:ae.
> Distinguished name is 
> 'C=xx,ST=xxxxxxx,L=xxxxxx,O=xxxxxxx,OU=xxxxx,CN=myhost,emailAddress=xxxx at xxxxxx.net'.
> Are you sure you want to continue connecting (yes/no)? yes
> -----END-----
> Is it expected that a properly configured system would ask this?
No except for first time as host key is new, you use configuration with 
StrictHostKeyChecking set to ask and user known host file does not list 
"new" host key.
Right ?

> I ask because, using OpenSSH's native certificates, it's possible to 
> log into a server without being prompted, so long as the client's 
> known_hosts file has the signing CA's info listed (i.e. 
> @cert-authority *.bar.com ssh-rsa AAAAB3[...]== Comment) and the 
> principles in the server's cert match the IP/FQDN that the connection 
> was to...
But did you change host key is this scenario . I mean you setup systems 
(host&client), connect to host many times and after this you change host 
key. What is result ?

> Thanks,
> Kent


Get X.509 certificates support in OpenSSH:

More information about the ssh_x509 mailing list