Golang CertChecker hostname validation differs to OpenSSH

Michael Ströder michael at stroeder.com
Thu May 18 04:45:57 AEST 2017

Blumenthal, Uri - 0553 - MITLL wrote:
>     > Uri (earlier in this thread) does answer this question clearly (that
>     > the principal should be the hostname only), and, now that I've found
>     > PROTOCOL.certkeys, this seems to be spelt out unambiguously there too:
> In turn this means: One cannot expect several SSH services on a single host to be
> securely distinguishable from each other by their particular service key. So if one of
> the SSH services gets compromised all SSH services on this host are subject to MITM
> attacks with the private key of the compromised service.
> Yes and no. The standards wisely do not allow port numbers as a part of the DNS
> identity.

Ok, then one must access the different services by different FQDN.

> I still think it’s not a very good idea to “securely distinguish several SSH services
> running on a single host”, but it seems entirely doable if you’re bent on it.

I'm curious: What's wrong to have a different SFTP-only service running on a different
port besides the SSH server for admin shell access?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170517/42b12ad0/attachment-0001.bin>

More information about the openssh-unix-dev mailing list