Re: Golang CertChecker hostname validation differs to OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, May 15, 2017 at 11:39 AM, Peter Moody <mindrot@xxxxxxxx> wrote:
> my reading of the sshd manpage is that ssh is more permissive than it should be
>
> SSH_KNOWN_HOSTS FILE FORMAT :
>   ...
>
>   A hostname or address may optionally be enclosed within `[' and `]'
> brackets then followed by `:' and a non-standard port number.

Hi Peter, I'm not sure that quite answers the same question.

ie at one level there is a decision that is made about whether a line
in the known hosts file should be evaluated for a given host/port -
and I think that's what you are referring to above.

However once a line from known hosts is allowed for evaluation for a
host/port, there's a second matter of checking whether the certificate
presented contains the appropriate principal.

I think this what "check_host_cert()" does, and as far as I can tell,
OpenSSH only passes it the hostname (not "host:port"). See:
https://github.com/openssh/openssh-portable/blob/f382362e8dfb6b277f16779ab1936399d7f2af78/sshconnect.c#L866

(for better or for worse, this would be roughly inline with X.509v3
cert host matching, which also doesn't match on port numbers)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux