[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssh-bugs
Subject:    [Bug 2359] New: [PATCH] Allow HostKeyAlias to be used in hostname check against certificate principa
From:       bugzilla-daemon () mindrot ! org
Date:       2015-02-23 17:59:00
Message-ID: bug-2359-705 () https ! bugzilla ! mindrot ! org/
[Download RAW message or body]

https://bugzilla.mindrot.org/show_bug.cgi?id=2359

            Bug ID: 2359
           Summary: [PATCH] Allow HostKeyAlias to be used in hostname
                    check against certificate principal
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs@mindrot.org
          Reporter: charles@dyfis.net

Created attachment 2555
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2555&action=edit
First-draft proposed patch

At present, a SSH certificate signed with the name of a round-robin
pool can't be used to authenticate a single, specific host within that
pool, if logging into it directly. Likewise, if DNS is temporarily
unavailable, one cannot log into a system secured by a host certificate
by IP unless its IP address is listed as a principal.

I propose to address this by allowing a a name passed in the
HostKeyAlias option to match a system's principal name in the same
manner, and using the same logic, as presently used for the name used
for the actual lookup and connection.

Proposed on mailing list at
http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-February/033443.html.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[prev in list] [next in list] [prev in thread] [next in thread]