Re: Missing SSHFP RRs / VerifyHostKeyDNS & StrictHostKeyChecking

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 18 Nov 2015, Thordur I. Bjornsson wrote:

> Y'all,
> 
> Currently (OpenSSH_7.1p1) no distinction is made between when an SSHFP
> RR is missing
> from the result set (rather then being empty), which can lead to
> confusing error messages,
> (the "normal" warn_changed_key() blurb is emitted) e.g. when the
> presented host key and
> known hosts both match but there is no matching RR.
> 
> Further, if VerifyHostKeyDNS and StrictHostKeyChecking are set, there
> is no prompting for
> confirmation if the connection should be allowed to proceed; I'm
> unsure if this is by design
> or not (as presented host key and known host key match), but I'd argue
> this violates POLA.
> 
> Attached are two naïve patches to portable (cloned from
> anongit@xxxxxxxxxxx) that attempt
> to tackle the above.

Looks like the list server ate the attachements - could you attach them
to a bug on https://bugzilla.mindrot.org/ ?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux