[Bug 3157] known_hosts @cert-authority with legacy plain key entry drops incorrect set of HostKeyAlgorithms

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed May 6 04:43:08 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3157

--- Comment #3 from Paul Kapp <paullkapp at gmail.com> ---
Yes, this patch does happen to fix the particular case, but not the
general case. From my example, my test server had an ed25519 host key
signed by an ed25519 CA, and the client did include a request for host
key/cert of type ssh-ed25519-cert-v01 at openssh.com.

The remote host may have a certificate of type
ecdsa-sha2-nistp256-cert-v01 at openssh.com signed by that same ed25519
CA, which would also be acceptable. If the remote host had only that
cert available, the host validation would fail, since the client does
not include ecdsa-sha2-nistp256-cert-v01 at openssh.com in its priority
list.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list