Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal.

[Charles Duffy]

The note is appreciated. This patch is now available from github, as
https://github.com/charles-dyfis-net/openssh-portable/compare/openssh:773dda2...charles-dyfis-net:host-key-alias-cert-check
and as inline plaintext below.


>From 367fd8323d864daaf486047850f93c2167c66f37 Mon Sep 17 00:00:00 2001
From: Charles Duffy <charles at threatgrid.com>
Date: Tue, 17 Feb 2015 09:49:32 -0600
Subject: [PATCH] Allow HostKeyAlias to match a host certificate principal if
 HostName does not

---
 sshconnect.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sshconnect.c b/sshconnect.c
index df921be..666c3ff 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -902,7 +902,8 @@ check_host_key(char *hostname, struct sockaddr
*hostaddr, u_short port,
                debug("Found %s in %s:%lu", want_cert ? "CA key" : "key",
                    host_found->file, host_found->line);
                if (want_cert && !check_host_cert(hostname, host_key))
-                       goto fail;
+                       if (options.host_key_alias == NULL ||
!check_host_cert(options.host_key_alias, host_key))
+                               goto fail;
                if (options.check_host_ip && ip_status == HOST_NEW) {
                        if (readonly || want_cert)
                                logit("%s host key for IP address "
--
2.0.0

On Thu, Feb 19, 2015 at 3:32 PM, Ángel González <keisial at gmail.com> wrote:
> On 19/02/15 19:37, Charles Duffy wrote:
>>
>> A trivial patch implementing this behavior is attached.
>
> Also stripped by the mailing list. Make sure you are attaching it with the
> proper mime type.
>
>
> PS: That seems a good idea.
>
>
>