Re: Golang CertChecker hostname validation differs to OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Blumenthal, Uri - 0553 - MITLL wrote:
>  
>     > Uri (earlier in this thread) does answer this question clearly (that
>     > the principal should be the hostname only), and, now that I've found
>     > PROTOCOL.certkeys, this seems to be spelt out unambiguously there too:
>     
> In turn this means: One cannot expect several SSH services on a single host to be
> securely distinguishable from each other by their particular service key. So if one of
> the SSH services gets compromised all SSH services on this host are subject to MITM
> attacks with the private key of the compromised service.
> 
> Yes and no. The standards wisely do not allow port numbers as a part of the DNS
> identity.

Ok, then one must access the different services by different FQDN.

> I still think it’s not a very good idea to “securely distinguish several SSH services
> running on a single host”, but it seems entirely doable if you’re bent on it.

I'm curious: What's wrong to have a different SFTP-only service running on a different
port besides the SSH server for admin shell access?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux