Golang CertChecker hostname validation differs to OpenSSH

Damien Miller djm at mindrot.org
Wed May 17 02:46:20 AEST 2017

On Mon, 15 May 2017, Adam Eijdenberg wrote:

> Hi all,
> Last week I noticed that the CertChecker in the Go implementation of
> x/crypto/ssh seems to be doing host principal validation incorrectly
> and filed the following bug:
> https://github.com/golang/go/issues/20273
> By default they are looking for a principal named "host:port" inside
> of the certificate presented by the server, instead of just looking
> for the host as I believe OpenSSH does.

Darren will know better, since IIRC he added the port specifier to
known_hosts originally. But I believe the behaviour is:

If the default port is in use then the host principal is just the hostname.

If a non-default port, then the host principals is "[host]:port".

If a non-default port is in use and "[host]:port" doesn't match, then
try the plain hostname.


More information about the openssh-unix-dev mailing list