Golang CertChecker hostname validation differs to OpenSSH
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Thu May 18 04:50:27 AEST 2017
> Yes and no. The standards wisely do not allow port numbers as a part of the DNS
> identity.
Ok, then one must access the different services by different FQDN.
Apparently. That’s what everybody else has been doing for the last umpteen years. ;-)
> I still think it’s not a very good idea to “securely distinguish several SSH services
> running on a single host”, but it seems entirely doable if you’re bent on it.
I'm curious: What's wrong to have a different SFTP-only service running on a different
port besides the SSH server for admin shell access?
Nothing that I can see off-hand.
On the other hand, what’s your threat model? If it’s on the same host, how can I compromise one key but not the other?
But as I said, while I would separate by virtual hosting and FQDN, you can craft the certs the way you want – except that the DNS name in the SAN cannot have the port.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170517/9e651dde/attachment.bin>
More information about the openssh-unix-dev
mailing list