Bug 2359

Summary: [PATCH] Allow HostKeyAlias to be used in hostname check against certificate principal
Product: Portable OpenSSH Reporter: Charles Duffy <charles>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED DUPLICATE    
Severity: enhancement CC: djm
Priority: P5    
Version: 6.7p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 2852    
Attachments:
Description Flags
First-draft proposed patch none

Description Charles Duffy 2015-02-24 04:59:00 AEDT 
Created attachment 2555 [details]
First-draft proposed patch

At present, a SSH certificate signed with the name of a round-robin pool can't be used to authenticate a single, specific host within that pool, if logging into it directly. Likewise, if DNS is temporarily unavailable, one cannot log into a system secured by a host certificate by IP unless its IP address is listed as a principal.

I propose to address this by allowing a a name passed in the HostKeyAlias option to match a system's principal name in the same manner, and using the same logic, as presently used for the name used for the actual lookup and connection.

Proposed on mailing list at http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-February/033443.html.
Comment 1 Damien Miller 2018-02-10 17:31:34 AEDT 
Look at this for release
Comment 2 Damien Miller 2018-04-06 13:12:21 AEST 
Move to OpenSSH 7.8 tracking bug
Comment 3 Damien Miller 2018-05-11 13:49:10 AEST 

*** This bug has been marked as a duplicate of bug 2728 ***
Comment 4 Damien Miller 2021-04-23 14:56:28 AEST 
closing resolved bugs as of 8.6p1 release