Golang CertChecker hostname validation differs to OpenSSH

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu May 18 04:50:27 AEST 2017

    > Yes and no. The standards wisely do not allow port numbers as a part of the DNS
    > identity.
    Ok, then one must access the different services by different FQDN.
Apparently. That’s what everybody else has been doing for the last umpteen years. ;-)

    > I still think it’s not a very good idea to “securely distinguish several SSH services
    > running on a single host”, but it seems entirely doable if you’re bent on it.
    I'm curious: What's wrong to have a different SFTP-only service running on a different
    port besides the SSH server for admin shell access?

Nothing that I can see off-hand. 

On the other hand, what’s your threat model? If it’s on the same host, how can I compromise one key but not the other?

But as I said, while I would separate by virtual hosting and FQDN, you can craft the certs the way you want – except that the DNS name in the SAN cannot have the port.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170517/9e651dde/attachment.bin>

More information about the openssh-unix-dev mailing list