Bugzilla – Attachment 2998 Details for
Bug 2728
HostKeyAlias not respected for certificate authority host key validation
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
with documentation
bz2728.diff (text/plain), 2.08 KB, created by
Damien Miller
on 2017-06-23 14:04:19 AEST
(
hide
)
Description:
with documentation
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2017-06-23 14:04:19 AEST
Size:
2.08 KB
patch
obsolete
>diff --git a/ssh_config.5 b/ssh_config.5 >index 4277f9e..1371d4d 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -809,7 +809,7 @@ The list of available key types may also be obtained using > .It Cm HostKeyAlias > Specifies an alias that should be used instead of the > real host name when looking up or saving the host key >-in the host key database files. >+in the host key database files and when validating host certificates. > This option is useful for tunneling SSH connections > or for multiple servers running on a single host. > .It Cm HostName >diff --git a/sshconnect.c b/sshconnect.c >index a9cc9f3..de5b4b1 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -837,7 +837,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > host, type, want_cert ? "certificate" : "key"); > debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", > host_found->file, host_found->line); >- if (want_cert && !check_host_cert(hostname, host_key)) >+ if (want_cert && >+ !check_host_cert(options.host_key_alias == NULL ? >+ hostname : options.host_key_alias, host_key)) > goto fail; > if (options.check_host_ip && ip_status == HOST_NEW) { > if (readonly || want_cert) >diff --git a/sshd.8 b/sshd.8 >index 3f20dba..42436cf 100644 >--- a/sshd.8 >+++ b/sshd.8 >@@ -625,9 +625,23 @@ Hostnames is a comma-separated list of patterns > and > .Ql \&? > act as >-wildcards); each pattern in turn is matched against the canonical host >-name (when authenticating a client) or against the user-supplied >-name (when authenticating a server). >+wildcards); each pattern in turn is matched against the host name. >+When >+.Nm sshd >+is authenticating a client, such as when using >+.Cm HostbasedAuthentication , >+this will be the canonical client host name. >+When >+.Xr ssh 1 >+is authenticating a server, this will be the either the host name >+given by the user, the value of the >+.Xr ssh 1 >+.Cm HostkeyAlias >+if it was specified, or the canonical server hostname if the >+.Xr ssh 1 >+.Cm CanonicalizeHostname >+option was used. >+.Pp > A pattern may also be preceded by > .Ql \&! > to indicate negation: if the host name matches a negated
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2998">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2728
:
2994
| 2998