0

The ssh-keygen program has -h flag for creating a host key. What is the actual difference between keys created with and without -h? Is there any reason I could/should not use a host key as a user key or vice versa?

Keith Wolters
  • 123
  • 4
  • Hmm, keys are used for authentication for server and client. ssh-keygen utility distributes keys across the file system according to the intended use. You can hack into this process and flip-flop them or you can just use an appropriate flag such as -h for the server key. ssh-keygen -h also replaces the existing server key, which means the server would need to re-authenticate to its clients. – postoronnim Sep 14 '23 at 16:01
  • Thanks. I wondered if replacing the existing host key might be a part of the answer. – Keith Wolters Sep 14 '23 at 19:13

1 Answers1

0

TL;DR: you can use the same key to either create a host or a user certificate; you can put limitations to user certificates but not to host certificates (for now, anyways).

In detail:

The ssh-keygen program has -h flag for creating a host key

No, the -h flag is only used when you sign the key. From the ssh-keygen man page1:

-h      When signing a key, create a host certificate instead of a user certificate. Please see the CERTIFICATES section for details

What is the actual difference between keys created with and without -h?

The actual functionality is keys signed with and without -h. The answer lies in the CERTIFICATES section of the manual page:

ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication

[...]


ssh-keygen supports two types of certificates: user and host.  User certificates authenticate users to servers, whereas host certificates authenticate server hosts to users. [...]

The difference is this:

[...]

Additional limitations on the validity and use of user certificates may be specified through certificate options. A certificate option may disable features of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command.


[...]


At present, no standard options are valid for host keys.

1 for Ubuntu Impish, but it's similar to other distros