Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal.
Charles Duffy
charles at dyfis.net
Fri Feb 20 08:39:28 AEDT 2015
The note is appreciated. This patch is now available from github, as
https://github.com/charles-dyfis-net/openssh-portable/compare/openssh:773dda2...charles-dyfis-net:host-key-alias-cert-check
and as inline plaintext below.
>From 367fd8323d864daaf486047850f93c2167c66f37 Mon Sep 17 00:00:00 2001
From: Charles Duffy <charles at threatgrid.com>
Date: Tue, 17 Feb 2015 09:49:32 -0600
Subject: [PATCH] Allow HostKeyAlias to match a host certificate principal if
HostName does not
---
sshconnect.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sshconnect.c b/sshconnect.c
index df921be..666c3ff 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -902,7 +902,8 @@ check_host_key(char *hostname, struct sockaddr
*hostaddr, u_short port,
debug("Found %s in %s:%lu", want_cert ? "CA key" : "key",
host_found->file, host_found->line);
if (want_cert && !check_host_cert(hostname, host_key))
- goto fail;
+ if (options.host_key_alias == NULL ||
!check_host_cert(options.host_key_alias, host_key))
+ goto fail;
if (options.check_host_ip && ip_status == HOST_NEW) {
if (readonly || want_cert)
logit("%s host key for IP address "
--
2.0.0
On Thu, Feb 19, 2015 at 3:32 PM, Ángel González <keisial at gmail.com> wrote:
> On 19/02/15 19:37, Charles Duffy wrote:
>>
>> A trivial patch implementing this behavior is attached.
>
> Also stripped by the mailing list. Make sure you are attaching it with the
> proper mime type.
>
>
> PS: That seems a good idea.
>
>
>
More information about the openssh-unix-dev
mailing list