From 5f3b743eb0ae136bf34e372b10d5bbdc1755f958 Mon Sep 17 00:00:00 2001
From: Jacob Nevins <jacobn@chiark.greenend.org.uk>
Date: Fri, 21 Oct 2022 20:04:16 +0100
Subject: Tweak certified-host-key prompt.

Add a specific reassurance that taking the add-to-cache action will not
cause the CA that signed the key to be trusted in any wider context.
---
 ssh/common.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ssh/common.c b/ssh/common.c
index 161bebbd..a1b4d77d 100644
--- a/ssh/common.c
+++ b/ssh/common.c
@@ -1037,6 +1037,12 @@ SeatPromptResult verify_ssh_host_key(
             text, SDT_PARA, "If you were expecting this change and trust the "
             "new key, %s to update %s's cache and carry on connecting.",
             pds->hk_accept_action, appname);
+        if (key && ssh_key_alg(key)->is_certificate) {
+            seat_dialog_text_append(
+                text, SDT_PARA, "(Storing this certified key in the cache "
+                "will NOT cause its certification authority to be trusted "
+                "for any other key or host.)");
+        }
         seat_dialog_text_append(
             text, SDT_PARA, "If you want to carry on connecting but without "
             "updating the cache, %s.", pds->hk_connect_once_action);
-- 
cgit v1.2.3