Differences
This shows you the differences between the selected revisions of the page.
| ui_ssh_host_ca 2023-10-10 | ui_ssh_host_ca 2026-06-02 (current) | ||
| Line 25: | Line 25: | ||
| The simplest thing you can enter in the //Valid hosts this key is trusted to certify// edit box is just a hostname wildcard such as ''*.example.com''. This matches any host in any subdomain, so both ''ssh.example.com'' and ''login.dept.example.com'' would match, but ''prod.example.net'' would not. | The simplest thing you can enter in the //Valid hosts this key is trusted to certify// edit box is just a hostname wildcard such as ''*.example.com''. This matches any host in any subdomain, so both ''ssh.example.com'' and ''login.dept.example.com'' would match, but ''prod.example.net'' would not. | ||
| - | But you can also enter multiple host name wildcards, and port number ranges, and make complicated Boolean expressions out of them using the operators ''&&'' for "and", ''||'' for "or", ''!'' for "not", and parentheses. | + | But you can also enter multiple hostname wildcards, and port number ranges, and make complicated Boolean expressions out of them using the operators ''&&'' for "and", ''||'' for "or", ''!'' for "not", and parentheses. |
| For example, here are some other things you could enter. | For example, here are some other things you could enter. | ||
| - | * ''*.foo.example.com || *.bar.example.com''. This means the CA is trusted to sign the host key for a connection if the host name matches ''*.foo.example.com'' or it matches ''*.bar.example.com''. In other words, the CA has authority over those two particular subdomains of ''example.com'', but not for anything else, like ''%%www.example.com%%''. | + | * ''*.foo.example.com || *.bar.example.com''. This means the CA is trusted to sign the host key for a connection if the hostname matches ''*.foo.example.com'' or it matches ''*.bar.example.com''. In other words, the CA has authority over those two particular subdomains of ''example.com'', but not for anything else, like ''%%www.example.com%%''. |
| - | * ''*.example.com && ! *.extrasecure.example.com''. This means the CA is trusted to sign the host key for a connection if the host name matches ''*.example.com'' but does not match ''*.extrasecure.example.com''. (Imagine if there was one top-secret set of servers in your company that the main IT department didn't have security clearance to administer.) | + | * ''*.example.com && ! *.extrasecure.example.com''. This means the CA is trusted to sign the host key for a connection if the hostname matches ''*.example.com'' but does not match ''*.extrasecure.example.com''. (Imagine if there was one top-secret set of servers in your company that the main IT department didn't have security clearance to administer.) |
| - | * ''*.example.com && port:22''. This means the CA is trusted to sign the host key for a connection if the host name matches ''*.example.com'' and the port number is 22. SSH servers running on other ports would not be covered. | + | * ''*.example.com && port:22''. This means the CA is trusted to sign the host key for a connection if the hostname matches ''*.example.com'' and the port number is 22. SSH servers running on other ports would not be covered. |
| * ''(*.foo.example.com || *.bar.example.com) && port:0-1023''. This matches two subdomains of ''example.com'', as before, but also restricts the port number to the range 0–1023. | * ''(*.foo.example.com || *.bar.example.com) && port:0-1023''. This matches two subdomains of ''example.com'', as before, but also restricts the port number to the range 0–1023. | ||