[Bug 2359] New: [PATCH] Allow HostKeyAlias to be used in hostname check against certificate principal

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Feb 24 04:59:00 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2359

            Bug ID: 2359
           Summary: [PATCH] Allow HostKeyAlias to be used in hostname
                    check against certificate principal
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: charles at dyfis.net

Created attachment 2555
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2555&action=edit
First-draft proposed patch

At present, a SSH certificate signed with the name of a round-robin
pool can't be used to authenticate a single, specific host within that
pool, if logging into it directly. Likewise, if DNS is temporarily
unavailable, one cannot log into a system secured by a host certificate
by IP unless its IP address is listed as a principal.

I propose to address this by allowing a a name passed in the
HostKeyAlias option to match a system's principal name in the same
manner, and using the same logic, as presently used for the name used
for the actual lookup and connection.

Proposed on mailing list at
http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-February/033443.html.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list