Re: Golang CertChecker hostname validation differs to OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



    > Yes and no. The standards wisely do not allow port numbers as a part of the DNS
    > identity.
    
    Ok, then one must access the different services by different FQDN.
    
Apparently. That’s what everybody else has been doing for the last umpteen years. ;-)

    > I still think it’s not a very good idea to “securely distinguish several SSH services
    > running on a single host”, but it seems entirely doable if you’re bent on it.
    
    I'm curious: What's wrong to have a different SFTP-only service running on a different
    port besides the SSH server for admin shell access?

Nothing that I can see off-hand. 

On the other hand, what’s your threat model? If it’s on the same host, how can I compromise one key but not the other?

But as I said, while I would separate by virtual hosting and FQDN, you can craft the certs the way you want – except that the DNS name in the SAN cannot have the port.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux