Golang CertChecker hostname validation differs to OpenSSH

Peter Moody mindrot at hda3.com
Tue May 16 02:42:14 AEST 2017

On May 15, 2017 09:38, "Peter Moody" <mindrot at hda3.com> wrote:

On Mon, May 15, 2017 at 2:01 AM, Adam Eijdenberg <adam at continusec.com>
> On Mon, May 15, 2017 at 11:39 AM, Peter Moody <mindrot at hda3.com> wrote:
>> my reading of the sshd manpage is that ssh is more permissive than it
should be
>>   ...
>>   A hostname or address may optionally be enclosed within `[' and `]'
>> brackets then followed by `:' and a non-standard port number.
> Hi Peter, I'm not sure that quite answers the same question.
> ie at one level there is a decision that is made about whether a line
> in the known hosts file should be evaluated for a given host/port -
> and I think that's what you are referring to above.
> However once a line from known hosts is allowed for evaluation for a
> host/port, there's a second matter of checking whether the certificate
> presented contains the appropriate principal.
> I think this what "check_host_cert()" does, and as far as I can tell,
> OpenSSH only passes it the hostname (not "host:port"). See:
> https://github.com/openssh/openssh-portable/blob/
> (for better or for worse, this would be roughly inline with X.509v3
> cert host matching, which also doesn't match on port numbers)


your proposed patch removes both checks though. I think you'd want to
modify knownhosts.go if you want to support not including non-standard
ports in IsHostAuthority.

Note, you can also write your own IsHostAuthority that ignores the
port, I think this just affects the HostKeyCallback provided by

I could be wrong about that though, I'm about I to jump on an airplane and
I haven't inspected it closely.

More information about the openssh-unix-dev mailing list