Skip to content

@cert-authority in known_hosts doesn't work #2429

New issue
New issue
Open
Open
@cert-authority in known_hosts doesn't work#2429
Labels
Investigate
@kaysond

Description

@kaysond
kaysond
opened on Mar 4, 2026

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

  1. Set up an SSH server with a host certificate signed by some CA key
  2. Add the appropriate @cert-authority statement to known_hosts
  3. (Optional) set StrictHostKeyChecking yes in ssh config

Expected behavior

SSH should connect

Actual behavior

SSH fails due to Host key verification

Error details

debug1: No matching CA found. Retry with plain key
No ED25519 host key is known for REDACTED and you have requested strict checking.
Host key verification failed.

See more below.

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19041.5129
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.5129
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

OpenSSH_for_Windows_10.0p2 Win32-OpenSSH-GitHub, LibreSSL 4.2.0

Visuals

known_hosts:

@cert-authority * ecdsa-sha2-nistp384 REDACTED

PS C:\Users\REDACTED\Downloads> ssh -vvv REDACTED
debug1: OpenSSH_for_Windows_10.0p2 Win32-OpenSSH-GitHub, LibreSSL 4.2.0
debug3: Started with: "C:\\\\Program Files\\\\OpenSSH\\\\ssh.exe" -vvv REDACTED
debug1: Reading configuration data C:\\Users\\REDACTED/.ssh/config
debug1: C:\\Users\\REDACTED/.ssh/config line 4: Applying options for REDACTED
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\Users\\REDACTED/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\Users\\REDACTED/.ssh/known_hosts2'
debug2: resolving "REDACTED" port 22
debug3: resolve_host: lookup REDACTED:22
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to REDACTED [10.7.7.6] port 22.
debug1: Connection established.
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_rsa.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_rsa error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_rsa-cert.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_rsa-cert error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa-cert.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa-cert error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa_sk error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa_sk.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa_sk error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_ecdsa_sk type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa_sk-cert error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa_sk-cert.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_ecdsa_sk-cert error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_ecdsa_sk-cert type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ed25519.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_ed25519 error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ed25519-cert.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_ed25519-cert error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ed25519_sk error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ed25519_sk.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_ed25519_sk error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_ed25519_sk type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ed25519_sk-cert error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_ed25519_sk-cert.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_ed25519_sk-cert error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_ed25519_sk-cert type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_xmss.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_xmss error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/REDACTED/.ssh/id_xmss-cert.pub error:2
debug3: failed to open file:C:/Users/REDACTED/.ssh/id_xmss-cert error:2
debug1: identity file C:\\Users\\REDACTED/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_10.0 Win32-OpenSSH-GitHub
debug1: Remote protocol version 2.0, remote software version OpenSSH_10.0p2 Debian-7
debug1: compat_banner: match: OpenSSH_10.0p2 Debian-7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to REDACTED:22 as 'REDACTED'
debug3: Failed to open file:C:/Users/REDACTED/.ssh/known_hosts2 error:2
debug1: load_hostkeys: fopen C:\\Users\\REDACTED/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,ext-info-s,kex-strict-s-v00@openssh.com
debug2: host key algorithms: ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: mlkem768x25519-sha256
debug1: kex: host key algorithm: ssh-ed25519-cert-v01@openssh.com
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host certificate: ssh-ed25519-cert-v01@openssh.com SHA256:4rI9DUheuGDJHC3PBQzNdoRJ6CjCmVxjkH9/Ic9xg8o, serial 9712111745935794739 ID "REDACTED" CA ecdsa-sha2-nistp384 SHA256:IIzLKPASdOD53fQLNkVfAhdGrghERMAav/YhOZ3uUwk valid from 2026-03-02T15:21:13 to 2026-03-09T16:22:13
debug2: Server host certificate hostname: REDACTED
debug3: Failed to open file:C:/Users/REDACTED/.ssh/known_hosts2 error:2
debug1: load_hostkeys: fopen C:\\Users\\REDACTED/.ssh/known_hosts2: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: No matching CA found. Retry with plain key
No ED25519 host key is known for REDACTED and you have requested strict checking.

Notably, if I use the same known_hosts file on WSL and connect to the same host, things work just fine.

OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/REDACTED/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/REDACTED/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/REDACTED/.ssh/known_hosts2'
debug2: resolving "REDACTED" port 22
debug3: resolve_host: lookup REDACTED:22
debug3: ssh_connect_direct: entering
debug1: Connecting to REDACTED [10.7.7.6] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/REDACTED/.ssh/REDACTED@REDACTED.key type 3
debug1: identity file /home/REDACTED/.ssh/REDACTED@REDACTED.key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_10.0p2 Debian-7
debug1: compat_banner: match: OpenSSH_10.0p2 Debian-7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to REDACTED:22 as 'REDACTED'
debug3: record_hostkey: found ca key type ECDSA in file /home/REDACTED/.ssh/known_hosts:1
debug3: load_hostkeys_file: loaded 1 keys from REDACTED
debug1: load_hostkeys: fopen /home/REDACTED/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: gss-group14-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group16-sha512-toWM5Slw5Ew8Mqkay+al2g==,gss-nistp256-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-curve25519-sha256-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,ext-info-s,kex-strict-s-v00@openssh.com
debug2: host key algorithms: ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519-cert-v01@openssh.com
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host certificate: ssh-ed25519-cert-v01@openssh.com SHA256:4rI9DUheuGDJHC3PBQzNdoRJ6CjCmVxjkH9/Ic9xg8o, serial 9712111745935794739 ID "REDACTED" CA ecdsa-sha2-nistp384 SHA256:IIzLKPASdOD53fQLNkVfAhdGrghERMAav/YhOZ3uUwk valid from 2026-03-02T15:21:13 to 2026-03-09T16:22:13
debug2: Server host certificate hostname: REDACTED
debug3: record_hostkey: found ca key type ECDSA in file /home/REDACTED/.ssh/known_hosts:1
debug3: load_hostkeys_file: loaded 1 keys from REDACTED
debug1: load_hostkeys: fopen /home/REDACTED/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'REDACTED' is known and matches the ED25519-CERT host certificate.
debug1: Found CA key in /home/REDACTED/.ssh/known_hosts:1
debug3: check_host_key: certificate host key in use; disabling UpdateHostkeys
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /home/REDACTED/.ssh/REDACTED@REDACTED.key ED25519 SHA256:4SNIx0hfjyR4wj38mNF1DTje4rzfKz4//iO3aVovlj8 explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: kex_input_ext_info: ping@openssh.com (unrecognised)
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 60
debug1: Delegating credentials
debug3: send packet: type 61
debug3: receive packet: type 61
debug1: Delegating credentials
debug3: send packet: type 66
debug3: receive packet: type 52
Authenticated to REDACTED ([10.7.7.6]:22) using "gssapi-with-mic".
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env PWD
debug3: Ignored env HOSTTYPE
debug3: Ignored env SHLVL
debug3: Ignored env LOGNAME
debug3: Ignored env _tide_pad
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env NAME
debug3: Ignored env GPG_TTY
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env SSH_ENV
debug1: channel 0: setting env LANG = "C.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env WSLENV
debug3: Ignored env WT_PROFILE_ID
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env SHELL
debug3: Ignored env WT_SESSION
debug3: Ignored env TERM
debug3: Ignored env HOME
debug3: Ignored env WSL_DISTRO_NAME
debug3: Ignored env _tide_color_separator_same_color
debug3: Ignored env PATH
debug3: Ignored env USER
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0

Note the same server host key and CA, but it finds the CA:

debug1: Server host certificate: ssh-ed25519-cert-v01@openssh.com SHA256:4rI9DUheuGDJHC3PBQzNdoRJ6CjCmVxjkH9/Ic9xg8o, serial 9712111745935794739 ID "REDACTED" CA ecdsa-sha2-nistp384 SHA256:IIzLKPASdOD53fQLNkVfAhdGrghERMAav/YhOZ3uUwk valid from 2026-03-02T15:21:13 to 2026-03-09T16:22:13
debug2: Server host certificate hostname: REDACTED
debug3: record_hostkey: found ca key type ECDSA in file /home/REDACTED/.ssh/known_hosts:1
debug3: load_hostkeys_file: loaded 1 keys from REDACTED

Metadata

Metadata

Assignees

No one assigned

    Labels

    Investigate

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions