On May 15, 2017 09:38, "Peter Moody" <mindrot@xxxxxxxx> wrote: On Mon, May 15, 2017 at 2:01 AM, Adam Eijdenberg <adam@xxxxxxxxxxxxxx> wrote: > On Mon, May 15, 2017 at 11:39 AM, Peter Moody <mindrot@xxxxxxxx> wrote: >> my reading of the sshd manpage is that ssh is more permissive than it should be >> >> SSH_KNOWN_HOSTS FILE FORMAT : >> ... >> >> A hostname or address may optionally be enclosed within `[' and `]' >> brackets then followed by `:' and a non-standard port number. > > Hi Peter, I'm not sure that quite answers the same question. > > ie at one level there is a decision that is made about whether a line > in the known hosts file should be evaluated for a given host/port - > and I think that's what you are referring to above. > > However once a line from known hosts is allowed for evaluation for a > host/port, there's a second matter of checking whether the certificate > presented contains the appropriate principal. > > I think this what "check_host_cert()" does, and as far as I can tell, > OpenSSH only passes it the hostname (not "host:port"). See: > https://github.com/openssh/openssh-portable/blob/ f382362e8dfb6b277f16779ab1936399d7f2af78/sshconnect.c#L866 > > (for better or for worse, this would be roughly inline with X.509v3 > cert host matching, which also doesn't match on port numbers) possibly. your proposed patch removes both checks though. I think you'd want to modify knownhosts.go if you want to support not including non-standard ports in IsHostAuthority. Note, you can also write your own IsHostAuthority that ignores the port, I think this just affects the HostKeyCallback provided by golang.org/x/crypto/ssh/knownhosts. I could be wrong about that though, I'm about I to jump on an airplane and I haven't inspected it closely. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev