1745 – Matching @cert-authority entries when using unqualified hostnames

Bug 1745 - Matching @cert-authority entries when using unqualified hostnames

Summary: Matching @cert-authority entries when using unqualified hostnames

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	-current
Hardware:	Other Other

Importance:	P2 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_5_6
	Show dependency tree / graph

Reported:	2010-03-27 10:07 AEDT by Iain Morgan
Modified:	2010-08-27 10:28 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Iain Morgan 2010-03-27 10:07:15 AEDT

When connecting to a server in the same DNS domain using an unqualified
hostname, it can be problematic to find a safe pattern to allow an
@cert-authority record to validate a host certificate.

It would make host certificates much more useful if either the
hostname of the server were canonicalized before matching against the
@cert-authority record, or (as suggested by Damien) the ability to
match against the IP address using CIDR notation were added.

Comment 1 Damien Miller 2010-07-19 13:19:02 AEST

The change to support %h expansion in ssh_config Hostname options has been checked in and will be in openssh-5.6. This should allow the hacky approach that we discussed on the mailing list:

Host *.*
  Hostname %h

Host *
  Hostname %h.my.domain.org

Without requiring new API from the resolver, I can't think of a better way unfortunately.

Comment 2 Darren Tucker 2010-08-27 10:28:08 AEST

With the release of OpenSSH 5.6p1 this bug is now considered closed.  If you have further problems please reopen or file a new bug as appropriate.