Re: Golang CertChecker hostname validation differs to OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 15 May 2017, Adam Eijdenberg wrote:

> Hi all,
> 
> Last week I noticed that the CertChecker in the Go implementation of
> x/crypto/ssh seems to be doing host principal validation incorrectly
> and filed the following bug:
> https://github.com/golang/go/issues/20273
> 
> By default they are looking for a principal named "host:port" inside
> of the certificate presented by the server, instead of just looking
> for the host as I believe OpenSSH does.

Darren will know better, since IIRC he added the port specifier to
known_hosts originally. But I believe the behaviour is:

If the default port is in use then the host principal is just the hostname.

If a non-default port, then the host principals is "[host]:port".

If a non-default port is in use and "[host]:port" doesn't match, then
try the plain hostname.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux