From d34125d4f7d1db8e5a228b26bc3d0bd335bd5eb9 Mon Sep 17 00:00:00 2001 From: Pino de Candia Date: Thu, 15 Feb 2018 15:09:16 +0000 Subject: [PATCH] Clarification in README about known_hosts file. Change-Id: Ie7361469d00b8904ef841f31b859bce06269b607 --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 9d69c6a..75280b3 100644 --- a/README.rst +++ b/README.rst @@ -17,7 +17,7 @@ Tatu provides APIs that allows: During negotiation of the SSH connection: #. The server presents its host certificate. -#. The client checks the validity of the host certificate using a Host CA public key configured in its known_hosts file (config line starts with @cert-authority). +#. The client checks the validity of the host certificate using a Host CA public key configured in its known_hosts file (config line starts with @cert-authority ). #. The client presents its client certificate. #. The server checks the validity of the client certifiate using a User CA public key configured in sshd_config (TrustedUserCAKeys). The server also checks that the certificate has not been revoked (RevokedKeys in sshd_config). #. The client certificate also contains a list of SSH principals, some of which the sshd_config may recognize as mapped to specific Linux accounts on the server (AuthorizedPrincipalsFile in sshd_config). The client is only allowed to login to those Linux accounts.