Golang CertChecker hostname validation differs to OpenSSH
Michael Ströder
michael at stroeder.com
Thu May 18 04:45:57 AEST 2017
Blumenthal, Uri - 0553 - MITLL wrote:
>
> > Uri (earlier in this thread) does answer this question clearly (that
> > the principal should be the hostname only), and, now that I've found
> > PROTOCOL.certkeys, this seems to be spelt out unambiguously there too:
>
> In turn this means: One cannot expect several SSH services on a single host to be
> securely distinguishable from each other by their particular service key. So if one of
> the SSH services gets compromised all SSH services on this host are subject to MITM
> attacks with the private key of the compromised service.
>
> Yes and no. The standards wisely do not allow port numbers as a part of the DNS
> identity.
Ok, then one must access the different services by different FQDN.
> I still think it’s not a very good idea to “securely distinguish several SSH services
> running on a single host”, but it seems entirely doable if you’re bent on it.
I'm curious: What's wrong to have a different SFTP-only service running on a different
port besides the SSH server for admin shell access?
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170517/42b12ad0/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list