[ssh_x509] x509v3-ssh-rsa hostkey algorithm on Cisco IOS XE

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Feb 19 13:27:56 EET 2020

Hello Roumen,

For quite a while, Cisco IOS XE supports x509v3-ssh-rsa as hostkey
algrithm. I've set up a lab environment to lab it and can connect to IOS XE
router with x509v3-ssh-rsa hostkey. The thing I'm interested in, is the
format PKIXSSH uses to store the SSH server's identity in known_hosts:

.ssh/known_hosts x509v3-sign-rsa Subject:C=AU,ST=Some-State,O=Internet Widgits
Pty Ltd,CN=r1.lab.local

I evaluated that x509v3-ssh-rsa option as a replacement of typical ssh-rsa
hostkeys, and thought it should have a store of valid CAs per domain in a
format similar to (just proposing) "*.lab.local x509v3-sign-rsa
/etc/ssl/certificates/ca.lab.local.cer". This will facilitate a scalable
management of trust when you need to import a cert of only one CA that has
signed certs for hundreds of SSH servers and you need only one entry in
known_hosts to trust all of them, opposed to per-host trust with regular
ssh-rsa. Unfortunately I was unable to figure out how to configure PKIX-SSH
to do so.

Am I understanding right that as of now PKIX-SSH just compares CN in the
certificate that it was presented with and if there's a match, it considers
that SSH server is authentic? Or I'm totally missing some PKIX-SSH's config

Sergei Fomin

More information about the ssh_x509 mailing list