[Bug 2359] New: [PATCH] Allow HostKeyAlias to be used in hostname check against certificate principal
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Feb 24 04:59:00 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2359
Bug ID: 2359
Summary: [PATCH] Allow HostKeyAlias to be used in hostname
check against certificate principal
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: charles at dyfis.net
Created attachment 2555
--> https://bugzilla.mindrot.org/attachment.cgi?id=2555&action=edit
First-draft proposed patch
At present, a SSH certificate signed with the name of a round-robin
pool can't be used to authenticate a single, specific host within that
pool, if logging into it directly. Likewise, if DNS is temporarily
unavailable, one cannot log into a system secured by a host certificate
by IP unless its IP address is listed as a principal.
I propose to address this by allowing a a name passed in the
HostKeyAlias option to match a system's principal name in the same
manner, and using the same logic, as presently used for the name used
for the actual lookup and connection.
Proposed on mailing list at
http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-February/033443.html.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list