2041 – Check for SSHFP when certificate is offered.

Bug 2041 - Check for SSHFP when certificate is offered.

Summary: Check for SSHFP when certificate is offered.

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	6.1p1
Hardware:	All All

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-08-31 19:48 AEST by Ondrej Caletka
Modified:	2014-01-28 23:10 AEDT (History)
CC List:	0 users

See Also:

Attachments
Check for SSHFP when certificate is offered. (2.09 KB, patch) 2012-08-31 19:48 AEST, Ondrej Caletka	no flags	Details \| Diff
Check for SSHFP when certificate is offered (2.09 KB, patch) 2014-01-28 23:10 AEDT, Ondrej Caletka	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ondrej Caletka 2012-08-31 19:48:08 AEST

Created attachment 2185 [details]
Check for SSHFP when certificate is offered.

When the sshd offers a certificate to client (which is default, when such a certificate is configured), the client refuses to do a SSHFP validation for the key embedded in the certificate.

This patch fixes this by dropping certificate for the purpose of checking SSHFP records, yet retaining certificate for other checks if SSHFP authentication fails. It is therefore possible to fall back to certificate authentication when for instance client does not have a DNSSEC-enabled connectivity.

Comment 1 Ondrej Caletka 2014-01-28 23:10:09 AEDT

Created attachment 2404 [details]
Check for SSHFP when certificate is offered

This is the same patch, only rebased to OpenSSH 6.4p1 codebase.