Bug 2359 - [PATCH] Allow HostKeyAlias to be used in hostname check against certificate principal
Summary: [PATCH] Allow HostKeyAlias to be used in hostname check against certificate p...
Status: CLOSED DUPLICATE of bug 2728
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 6.7p1
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_7_8
  Show dependency treegraph
 
Reported: 2015-02-24 04:59 AEDT by Charles Duffy
Modified: 2021-04-23 14:56 AEST (History)
1 user (show)

See Also:

Attachments
First-draft proposed patch (955 bytes, patch)
2015-02-24 04:59 AEDT, Charles Duffy 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Charles Duffy 2015-02-24 04:59:00 AEDT 
Created attachment 2555 [details]
First-draft proposed patch

At present, a SSH certificate signed with the name of a round-robin pool can't be used to authenticate a single, specific host within that pool, if logging into it directly. Likewise, if DNS is temporarily unavailable, one cannot log into a system secured by a host certificate by IP unless its IP address is listed as a principal.

I propose to address this by allowing a a name passed in the HostKeyAlias option to match a system's principal name in the same manner, and using the same logic, as presently used for the name used for the actual lookup and connection.

Proposed on mailing list at http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-February/033443.html.
Comment 1 Damien Miller 2018-02-10 17:31:34 AEDT 
Look at this for release
Comment 2 Damien Miller 2018-04-06 13:12:21 AEST 
Move to OpenSSH 7.8 tracking bug
Comment 3 Damien Miller 2018-05-11 13:49:10 AEST 

*** This bug has been marked as a duplicate of bug 2728 ***
Comment 4 Damien Miller 2021-04-23 14:56:28 AEST 
closing resolved bugs as of 8.6p1 release