[ssh_x509] logging into server without being asked about host key?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Oct 8 22:37:27 EEST 2012

On 10/6/12 5:11 AM, ssh_x509 at roumenpetrov.info wrote:
> Hi Kent.
>> I think I configured everything correctly but, when logging into a 
>> server, I'm still asked:
>> ----BEGIN----
>> The authenticity of host '[localhost]:8022 ([::1]:8022)' can't be 
>> established.
>> RSA+cert key fingerprint is 
>> c0:29:82:d8:26:67:94:8e:1c:b3:90:d3:0e:7a:65:ae.
>> Distinguished name is 
>> 'C=xx,ST=xxxxxxx,L=xxxxxx,O=xxxxxxx,OU=xxxxx,CN=myhost,emailAddress=xxxx at xxxxxx.net'.
>> Are you sure you want to continue connecting (yes/no)? yes
>> -----END-----
>> Is it expected that a properly configured system would ask this?
> No except for first time as host key is new, you use configuration 
> with StrictHostKeyChecking set to ask and user known host file does 
> not list "new" host key.
> Right ?

Sorry, I should have been more clear.  Yes, StrictHostKeyChecking is on 
and I'm only asked the first time.   But I don't want to be asked at 
all.  Instead, I want it to be like with OpenSSH's native certificate 
support, where only the CA's key needs to be in the known_hosts file, 
thus automatically authenticating any SSH server presenting a hostkey 
signed by that CA.

>> I ask because, using OpenSSH's native certificates, it's possible to 
>> log into a server without being prompted, so long as the client's 
>> known_hosts file has the signing CA's info listed (i.e. 
>> @cert-authority *.bar.com ssh-rsa AAAAB3[...]== Comment) and the 
>> principles in the server's cert match the IP/FQDN that the connection 
>> was to...
> But did you change host key is this scenario . I mean you setup 
> systems (host&client), connect to host many times and after this you 
> change host key. What is result ?
It does not matter if the host key changes, so long as the new host key 
is signed by the CA my client trusts.  Once configured, my client 
doesn't prompt to accept the  hostkey the first time it connects to the 
server or if ever the server's hostkey changes.  In fact, the server's 
hostkey isn't ever stored in the the known_hosts file...

Perhaps this tutorial explains: 
http://blog.habets.pp.se/2011/07/OpenSSH-certificates.  Or this more 
condensed tutorial: 


More information about the ssh_x509 mailing list