On Mon, 15 May 2017, Adam Eijdenberg wrote: > Hi all, > > Last week I noticed that the CertChecker in the Go implementation of > x/crypto/ssh seems to be doing host principal validation incorrectly > and filed the following bug: > https://github.com/golang/go/issues/20273 > > By default they are looking for a principal named "host:port" inside > of the certificate presented by the server, instead of just looking > for the host as I believe OpenSSH does. Darren will know better, since IIRC he added the port specifier to known_hosts originally. But I believe the behaviour is: If the default port is in use then the host principal is just the hostname. If a non-default port, then the host principals is "[host]:port". If a non-default port is in use and "[host]:port" doesn't match, then try the plain hostname. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev