Re: Golang CertChecker hostname validation differs to OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



 
    > Uri (earlier in this thread) does answer this question clearly (that
    > the principal should be the hostname only), and, now that I've found
    > PROTOCOL.certkeys, this seems to be spelt out unambiguously there too:
    
    In turn this means:
    One cannot expect several SSH services on a single host to be securely distinguishable
    from each other by their particular service key. So if one of the SSH services gets
    compromised all SSH services on this host are subject to MITM attacks with the private
    key of the compromised service.
    

Yes and no. The standards wisely do not allow port numbers as a part of the DNS identity.

On the other hand, nobody prevents you from having different key pairs for the same host name, given to different servers that you insist should run on the same host but on different ports (for example, I have one “name”, but a pile of certificates and corresponding key pairs for that name that I present to different (appropriate) entities). You can even figure how to mix their port numbers into their names (just don’t make it “hostname” :).

I still think it’s not a very good idea to “securely distinguish several SSH services running on a single host”, but it seems entirely doable if you’re bent on it.
    

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux