Created attachment 2994 [details] Patch to respect HostKeyAlias when using host certificates When connecting to ssh server by IP address (or another DNS name), with HostKeyAlias set to the name of the principal signed by the CA, one gets: > key_cert_check_authority: invalid certificate > Certificate invalid: name is not a listed principal The proposed patch changes this behavior by using options.host_key_alias in the contingency that it is set.
Is this HostKeyAlias behavior intentional? If it is, is there a way to specify which principal should be expected on a host key certificate? Should another configuration option be introduced to preserve pre-existing configurations' behavior? Is there anything that I can do to help this process?
Created attachment 2998 [details] with documentation Add documentation, match style(9)
Patch applied, this will be in OpenSSH 7.6.
Close all resolved bugs after release of OpenSSH 7.7.
*** Bug 2359 has been marked as a duplicate of this bug. ***