Hi,
tlclient (tested only with current linux version) does seem
to ignore any CA keys in /opt/thinlinc/etc/ssh_known_hosts added via, i.e :
echo "@cert-authority *.example.com $(cat /etc/ssh/ca.pub)" >>/opt/thinlinc/etc/ssh_known_hosts
In my use case, all hosts running TL software have their sshkeys signed by a CA.
I propose to implement support for ssh keys signed by a CA. Specifically,
if CA sshpubkey is in /opt/thinlinc/etc/ssh_known_hosts tlclient should happily
accept any (barring CRL) ssh key signed by it without warning user about unknown authenticity/fingerprint.