known_hostsに@cert-authorityで登録したホスト名からホスト認証を行う際に全て小文字でチェックしているらしく, サーバ証明書内のホスト名に大文字が含まれるとコケる. /bin/hostname等を使う場合は注意が必要. 調整が必要なのはサーバ証明書内のホスト名だけで, known_hosts等は気にしなくていいようだ.

環境

ito@ito-VirtualBox:~$ ssh -V
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6, OpenSSL 1.0.1f 6 Jan 2014

実行してみる

NG

ito@ito-VirtualBox:~$ sudo ssh-keygen -s ca/ca.key -I ca-test-server -h -n ito-VirtualBox /etc/ssh/ssh_host_rsa_key.pub 
Signed host key /etc/ssh/ssh_host_rsa_key-cert.pub: id "ca-test-server" serial 0 for ito-VirtualBox valid forever
ito@ito-VirtualBox:~$ ssh-keygen -L -f /etc/ssh/ssh_host_rsa_key-cert.pub 
/etc/ssh/ssh_host_rsa_key-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com host certificate
        Public key: RSA-CERT 8f:3e:82:c9:1f:5e:90:bd:46:09:0d:1d:7c:36:f5:73
        Signing CA: RSA 2f:4b:d1:af:a9:f7:94:67:9f:b2:a1:88:d2:b0:85:55
        Key ID: "ca-test-server"
        Serial: 0
        Valid: forever
        Principals: 
                ito-VirtualBox
        Critical Options: (none)
        Extensions: (none)
ito@ito-VirtualBox:~$ ssh -i client/client.key client@ito-VirtualBox
Certificate invalid: name is not a listed principal
The authenticity of host 'ito-virtualbox (127.0.1.1)' can't be established.
RSA key fingerprint is 8f:3e:82:c9:1f:5e:90:bd:46:09:0d:1d:7c:36:f5:73.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

OK

ito@ito-VirtualBox:~$ sudo ssh-keygen -s ca/ca.key -I ca-test-server -h -n ito-virtualbox /etc/ssh/ssh_host_rsa_key.pub 
Signed host key /etc/ssh/ssh_host_rsa_key-cert.pub: id "ca-test-server" serial 0 for ito-virtualbox valid forever
ito@ito-VirtualBox:~$ ssh-keygen -L -f /etc/ssh/ssh_host_rsa_key-cert.pub 
/etc/ssh/ssh_host_rsa_key-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com host certificate
        Public key: RSA-CERT 8f:3e:82:c9:1f:5e:90:bd:46:09:0d:1d:7c:36:f5:73
        Signing CA: RSA 2f:4b:d1:af:a9:f7:94:67:9f:b2:a1:88:d2:b0:85:55
        Key ID: "ca-test-server"
        Serial: 0
        Valid: forever
        Principals: 
                ito-virtualbox
        Critical Options: (none)
        Extensions: (none)
ito@ito-VirtualBox:~$ ssh -i client/client.key client@ito-VirtualBox
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Tue May 10 15:25:35 2016 from localhost
client@ito-VirtualBox:~$

公開鍵認証の初回接続で出てくるような「ホストを信頼してknown_hostsに追加しますか？」が出ずに, また, 新たにknown_hostsに追加されるようなことなく接続できればホスト認証成功.