Re: Golang CertChecker hostname validation differs to OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I think I wrote the code in question for the golang library
(https://github.com/golang/crypto/commit/527d12e53572562de9fd348d50e1ee4096803cec)

my reading of the sshd manpage is that ssh is more permissive than it should be

SSH_KNOWN_HOSTS FILE FORMAT :
  ...

  A hostname or address may optionally be enclosed within `[' and `]'
brackets then followed by `:' and a non-standard port number.

I actually noticed this last week and meant to email this list to ask
the openssh devs of the 'correct' behavior.


On Sun, May 14, 2017 at 5:24 PM, Adam Eijdenberg <adam@xxxxxxxxxxxxxx> wrote:
> Hi all,
>
> Last week I noticed that the CertChecker in the Go implementation of
> x/crypto/ssh seems to be doing host principal validation incorrectly
> and filed the following bug:
> https://github.com/golang/go/issues/20273
>
> By default they are looking for a principal named "host:port" inside
> of the certificate presented by the server, instead of just looking
> for the host as I believe OpenSSH does.
>
> e.g. the following error is generated:
>
> ssh: handshake failed: ssh: principal "localhost:2022" not in the set
> of valid principals for given certificate: ["localhost"]
>
> Before I ping the bug again, it would be good to get a second opinion
> as to whether that behaviour is correct or not.
>
> Cheers, Adam
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux