Golang CertChecker hostname validation differs to OpenSSH
Damien Miller
djm at mindrot.org
Wed May 17 02:46:20 AEST 2017
On Mon, 15 May 2017, Adam Eijdenberg wrote:
> Hi all,
>
> Last week I noticed that the CertChecker in the Go implementation of
> x/crypto/ssh seems to be doing host principal validation incorrectly
> and filed the following bug:
> https://github.com/golang/go/issues/20273
>
> By default they are looking for a principal named "host:port" inside
> of the certificate presented by the server, instead of just looking
> for the host as I believe OpenSSH does.
Darren will know better, since IIRC he added the port specifier to
known_hosts originally. But I believe the behaviour is:
If the default port is in use then the host principal is just the hostname.
If a non-default port, then the host principals is "[host]:port".
If a non-default port is in use and "[host]:port" doesn't match, then
try the plain hostname.
-d
More information about the openssh-unix-dev
mailing list