On 11/07/2014 12:29 PM, Damien Miller wrote:
Im am NOT a programmer, but to me it looks like we need some sort of logic about certs around this block of code in auth2-hostbased.c:On Fri, 7 Nov 2014, Peter Ankerst?l wrote:What principals (if any) are associated with the host cert?Right now i dont have any principals at all in the host cert.That's likely the problem then. The principals should list the hostname(s) of the server. (I agree that the documentation here is terrible).If I recall correctly, sshd will use the FQDN when validating the key or certificate offered by the client. Thus, if you specified any principals for the certificate, the list must include the FQDN and the pattern for teh @cert-authority entry needs to also match the FQDN.When logging with key based authentication the host CA works fine. debug1: Host 'm3' is known and matches the ECDSA-CERT host certificate. debug1: Found CA key in /etc/ssh/ssh_known_hosts:1 But when doing hostbased authentication it first gives me those two lines but then tries to look for m3 specifically in ssh_known_hosts.That's strange - I'll take a look via the bug. -d
host_status = check_key_in_hostfiles(pw, key, lookup, _PATH_SSH_SYSTEM_HOSTFILE,options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev