| Summary: | Check for SSHFP when certificate is offered. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Ondrej Caletka <ondrej> | ||||||
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||
| Status: | NEW --- | ||||||||
| Severity: | enhancement | ||||||||
| Priority: | P5 | ||||||||
| Version: | 6.1p1 | ||||||||
| Hardware: | All | ||||||||
| OS: | All | ||||||||
| Attachments: |
|
||||||||
Created attachment 2404 [details]
Check for SSHFP when certificate is offered
This is the same patch, only rebased to OpenSSH 6.4p1 codebase.
|
Created attachment 2185 [details] Check for SSHFP when certificate is offered. When the sshd offers a certificate to client (which is default, when such a certificate is configured), the client refuses to do a SSHFP validation for the key embedded in the certificate. This patch fixes this by dropping certificate for the purpose of checking SSHFP records, yet retaining certificate for other checks if SSHFP authentication fails. It is therefore possible to fall back to certificate authentication when for instance client does not have a DNSSEC-enabled connectivity.