Charles Duffy
2015-Feb-19 18:37 UTC
Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal.
Howdy -- I have a number of servers with host keys validated by certificates. These systems are behind a load-balanced frontend, and the certificates are signed as valid for the DNS name used by that common frontend address. This works well for the primary use case of the systems; however, when wishing to address only a single unit within the pool, the certificate cannot be used to validate that host's legitimacy, as the individual address of that host does not match against the name listed in the principal.>From the perspective of the end user, wishing to connect against aspecific address (as specified in the HostName option), but perform validation against a user-specified name that differs from that address seems a legitimate request -- one may also have a situation where name resolution is not available, for instance, and wish to connect to a system whose name is known by IP without the situation posited above. I'd like to propose that if HostKeyAlias is set, this be used as a second name against which a certificate may be considered valid, should it match. A trivial patch implementing this behavior is attached.
Ángel González
2015-Feb-19 21:32 UTC
Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal.
On 19/02/15 19:37, Charles Duffy wrote:> A trivial patch implementing this behavior is attached.Also stripped by the mailing list. Make sure you are attaching it with the proper mime type. PS: That seems a good idea.
Charles Duffy
2015-Feb-19 21:39 UTC
Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal.
The note is appreciated. This patch is now available from github, as https://github.com/charles-dyfis-net/openssh-portable/compare/openssh:773dda2...charles-dyfis-net:host-key-alias-cert-check and as inline plaintext below.>From 367fd8323d864daaf486047850f93c2167c66f37 Mon Sep 17 00:00:00 2001From: Charles Duffy <charles at threatgrid.com> Date: Tue, 17 Feb 2015 09:49:32 -0600 Subject: [PATCH] Allow HostKeyAlias to match a host certificate principal if HostName does not --- sshconnect.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sshconnect.c b/sshconnect.c index df921be..666c3ff 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -902,7 +902,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", host_found->file, host_found->line); if (want_cert && !check_host_cert(hostname, host_key)) - goto fail; + if (options.host_key_alias == NULL || !check_host_cert(options.host_key_alias, host_key)) + goto fail; if (options.check_host_ip && ip_status == HOST_NEW) { if (readonly || want_cert) logit("%s host key for IP address " -- 2.0.0 On Thu, Feb 19, 2015 at 3:32 PM, ?ngel Gonz?lez <keisial at gmail.com> wrote:> On 19/02/15 19:37, Charles Duffy wrote: >> >> A trivial patch implementing this behavior is attached. > > Also stripped by the mailing list. Make sure you are attaching it with the > proper mime type. > > > PS: That seems a good idea. > > >