Re: Golang CertChecker hostname validation differs to OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Off-hand, port is not a part of the principal. So the Go code is wrong.

Regards,
Uri

Sent from my iPhone

> On May 15, 2017, at 18:59, Adam Eijdenberg <adam@xxxxxxxxxxxxxx> wrote:
> 
>> On Tue, May 16, 2017 at 2:38 AM, Peter Moody <mindrot@xxxxxxxx> wrote:
>> your proposed patch removes both checks though. I think you'd want to
>> modify knownhosts.go if you want to support not including non-standard
>> ports in IsHostAuthority.
> 
> My intention wasn't to modify both checks - I'm currently only
> concerned with principal checking, although I can see how your recent
> patch (as implemented) would also be affected (so if we do change
> anything here, we'll probably need to refactor a little).
> 
> Let me give a concrete example, currently our certificates (OpenSSH
> server, and OpenSSH client) look like this and everything works great:
> 
> Principals:
>        auth.example.local
>        auth.example.com.au
> 
> However, if I write a Go client (which requires a port number be
> specified in their Dial string):
> 
>    log.Println(ssh.Dial("tcp", "auth.example.local:10000", &ssh.ClientConfig{
>        HostKeyCallback: (&ssh.CertChecker{}).CheckHostKey,
>    }))
> 
> I get the following error, before even attempting to evaluating
> IsHostAuthority():
> 
>    ssh: handshake failed: ssh: principal "auth.example.local:10000"
> not in the set of valid principals for given certificate:
> ["auth.example.local" "auth.example.com.au"]
> 
> 
> If I want a certificate to work with OpenSSH server, and both Go and
> OpenSSH clients, I need to re-generate a certificate like this:
> 
> Principals:
>        auth.example.local
>        auth.example.com.au
>        auth.example.local:10000
>        auth.example.com.au:10000
> 
> 
> That doesn't seem right, and I think the Go principal evaluation is
> incorrect, but I would like a second opinion.
> 
> (that code in Go also seems to be at least 3 years old)
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux