[Bug 3157] known_hosts @cert-authority with legacy plain key entry drops incorrect set of HostKeyAlgorithms

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed May 6 00:43:27 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3157

--- Comment #2 from Paul Kapp <paullkapp at gmail.com> ---
It is different, but not quite correct either, IMO. The CA key type
listed as the @cert-authority entry could be used to sign any key type.

If a @cert-authority is applicable from known_hosts, the client should
include all the available certificate types in the list offered to the
server, since the client is prepared to trust any of the certificate
types SignedBy the CA, and has no way to predict which type(s) may be
available on the server.

Ordering of the list is probably suitable, moving some certificate
types to the head of the list, based on other plain key types matched
in known_hosts, as the fallback to plain keys logic may still be used.
However, the full list (as appears in HostKeyAlgorithms) ought to be
represented.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list