bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-26 23:07 UTC
[Bug 1745] New: Matching @cert-authority entries when using unqualified hostnames
https://bugzilla.mindrot.org/show_bug.cgi?id=1745 Summary: Matching @cert-authority entries when using unqualified hostnames Product: Portable OpenSSH Version: -current Platform: Other OS/Version: Other Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: imorgan at nas.nasa.gov When connecting to a server in the same DNS domain using an unqualified hostname, it can be problematic to find a safe pattern to allow an @cert-authority record to validate a host certificate. It would make host certificates much more useful if either the hostname of the server were canonicalized before matching against the @cert-authority record, or (as suggested by Damien) the ability to match against the IP address using CIDR notation were added. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-10 01:25 UTC
[Bug 1745] Matching @cert-authority entries when using unqualified hostnames
https://bugzilla.mindrot.org/show_bug.cgi?id=1745 Iain Morgan <imorgan at nas.nasa.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-19 03:19 UTC
[Bug 1745] Matching @cert-authority entries when using unqualified hostnames
https://bugzilla.mindrot.org/show_bug.cgi?id=1745 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Blocks| |1708 Status|NEW |RESOLVED Resolution| |FIXED --- Comment #1 from Damien Miller <djm at mindrot.org> --- The change to support %h expansion in ssh_config Hostname options has been checked in and will be in openssh-5.6. This should allow the hacky approach that we discussed on the mailing list: Host *.* Hostname %h Host * Hostname %h.my.domain.org Without requiring new API from the resolver, I can't think of a better way unfortunately. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Aug-27 00:28 UTC
[Bug 1745] Matching @cert-authority entries when using unqualified hostnames
https://bugzilla.mindrot.org/show_bug.cgi?id=1745 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- With the release of OpenSSH 5.6p1 this bug is now considered closed. If you have further problems please reopen or file a new bug as appropriate. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 2305] New: sshd does not accept @cert-authority when doing host based authentication.
- [Bug 1039] Incomplete application of HostKeyAlias in ssh
- openssh-unix-dev Digest, Vol 123, Issue 13
- REQ: Minor change ton handling of without-password
- [Bug 1798] New: Add fsync() support to sftp/sftp-server