Bug 2728

Summary: HostKeyAlias not respected for certificate authority host key validation
Product: Portable OpenSSH Reporter: Antonio Russo <antonio.e.russo>
Component: sshAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: normal CC: charles, djm, dtucker
Priority: P5    
Version: 7.5p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 2698    
Attachments:
Description Flags
Patch to respect HostKeyAlias when using host certificates
none
with documentation dtucker: ok+

Description Antonio Russo 2017-06-13 00:42:52 AEST 
Created attachment 2994 [details]
Patch to respect HostKeyAlias when using host certificates

When connecting to ssh server by IP address (or another DNS name), with HostKeyAlias set to the name of the principal signed by the CA, one gets:

> key_cert_check_authority: invalid certificate
> Certificate invalid: name is not a listed principal

The proposed patch changes this behavior by using options.host_key_alias in the contingency that it is set.
Comment 1 Antonio Russo 2017-06-21 22:51:25 AEST 
Is this HostKeyAlias behavior intentional? If it is, is there a way to specify which principal should be expected on a host key certificate? 

Should another configuration option be introduced to preserve pre-existing configurations' behavior?

Is there anything that I can do to help this process?
Comment 2 Damien Miller 2017-06-23 14:04:19 AEST 
Created attachment 2998 [details]
with documentation

Add documentation, match style(9)
Comment 3 Damien Miller 2017-06-24 15:50:23 AEST 
Patch applied, this will be in OpenSSH 7.6.
Comment 4 Damien Miller 2018-04-06 12:26:43 AEST 
Close all resolved bugs after release of OpenSSH 7.7.
Comment 5 Damien Miller 2018-05-11 13:49:10 AEST 
*** Bug 2359 has been marked as a duplicate of this bug. ***