On Mon, May 15, 2017 at 3:52 PM, Adam Eijdenberg <adam@xxxxxxxxxxxxxx> wrote: > On Tue, May 16, 2017 at 2:38 AM, Peter Moody <mindrot@xxxxxxxx> wrote: >> your proposed patch removes both checks though. I think you'd want to >> modify knownhosts.go if you want to support not including non-standard >> ports in IsHostAuthority. > > My intention wasn't to modify both checks - I'm currently only > concerned with principal checking, although I can see how your recent > patch (as implemented) would also be affected (so if we do change > anything here, we'll probably need to refactor a little). > > Let me give a concrete example, currently our certificates (OpenSSH > server, and OpenSSH client) look like this and everything works great: > > Principals: > auth.example.local > auth.example.com.au > > However, if I write a Go client (which requires a port number be > specified in their Dial string): > > log.Println(ssh.Dial("tcp", "auth.example.local:10000", &ssh.ClientConfig{ > HostKeyCallback: (&ssh.CertChecker{}).CheckHostKey, > })) > > I get the following error, before even attempting to evaluating > IsHostAuthority(): > > ssh: handshake failed: ssh: principal "auth.example.local:10000" > not in the set of valid principals for given certificate: > ["auth.example.local" "auth.example.com.au"] > > > If I want a certificate to work with OpenSSH server, and both Go and > OpenSSH clients, I need to re-generate a certificate like this: > > Principals: > auth.example.local > auth.example.com.au > auth.example.local:10000 > auth.example.com.au:10000 > > > That doesn't seem right, and I think the Go principal evaluation is > incorrect, but I would like a second opinion. I can kind of see the argument that the port shouldn't be in principal, but it seems a little odd, especially given the known_hosts restrictions from the sshd manpage, that a cert would be good for all 2^16 ports. > (that code in Go also seems to be at least 3 years old) _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev