Question about host certificates
Damien Miller
djm at mindrot.org
Fri Mar 19 11:16:11 EST 2010
On Thu, 18 Mar 2010, Iain Morgan wrote:
> Right. Of the two alternatives you mention, I would prefer the CIDR
> approach.
>
> On a related topic, I notice that when key_cert_check_authority() is
> called from sshconnect.c the principal is not cheked. Shouldn't the list
> of principals for a host cert be the various names (qualified and,
> perhaps, unqualified) by which the host is known and shouldn't that list
> be checked to confirm that the cert belongs to the right host?
I'm pretty sure it passes the hostname:
572 check_host_cert(const char *host, const Key *host_key)
573 {
574 const char *reason;
575
576 if (key_cert_check_authority(host_key, 1, 0, host, &reason) != 0) {
577 error("%s", reason);
578 return 0;
579 }
and
730 if (want_cert && !check_host_cert(hostname, host_key))
731 goto fail;
The 3rd argument to key_cert_check_authority() doesn't _require_ that there
be a principal (host) name in the cert, so if a CA wants to issue wildcard
certs then it can.
-d
More information about the openssh-unix-dev
mailing list