Question about host certificates
Iain Morgan
imorgan at nas.nasa.gov
Fri Mar 19 11:47:35 EST 2010
On Thu, Mar 18, 2010 at 19:16:11 -0500, Damien Miller wrote:
> On Thu, 18 Mar 2010, Iain Morgan wrote:
>
> > Right. Of the two alternatives you mention, I would prefer the CIDR
> > approach.
> >
> > On a related topic, I notice that when key_cert_check_authority() is
> > called from sshconnect.c the principal is not cheked. Shouldn't the list
> > of principals for a host cert be the various names (qualified and,
> > perhaps, unqualified) by which the host is known and shouldn't that list
> > be checked to confirm that the cert belongs to the right host?
>
> I'm pretty sure it passes the hostname:
>
> 572 check_host_cert(const char *host, const Key *host_key)
> 573 {
> 574 const char *reason;
> 575
> 576 if (key_cert_check_authority(host_key, 1, 0, host, &reason) != 0) {
> 577 error("%s", reason);
> 578 return 0;
> 579 }
>
> and
>
> 730 if (want_cert && !check_host_cert(hostname, host_key))
> 731 goto fail;
>
> The 3rd argument to key_cert_check_authority() doesn't _require_ that there
> be a principal (host) name in the cert, so if a CA wants to issue wildcard
> certs then it can.
>
> -d
My mistake. I was focusing on the fact that require_principal is not
set. But you are correct tha the hostname is passed and would be checked
against the list of principals, if any. And I see now why we are not
requiring a principal. That 'wildcarding' could be useful in a cluster
environment.
Thanks
--
Iain Morgan
More information about the openssh-unix-dev
mailing list