openssh bugs - Mar 2010 - [Bug 1745] New: Matching @cert-authority entries when using unqualified hostnames

https://bugzilla.mindrot.org/show_bug.cgi?id=1745

           Summary: Matching @cert-authority entries when using
                    unqualified hostnames
           Product: Portable OpenSSH
           Version: -current
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: imorgan at nas.nasa.gov


When connecting to a server in the same DNS domain using an unqualified
hostname, it can be problematic to find a safe pattern to allow an
@cert-authority record to validate a host certificate.

It would make host certificates much more useful if either the
hostname of the server were canonicalized before matching against the
@cert-authority record, or (as suggested by Damien) the ability to
match against the IP address using CIDR notation were added.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1745

Iain Morgan <imorgan at nas.nasa.gov> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1745

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1708
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #1 from Damien Miller <djm at mindrot.org>  ---
The change to support %h expansion in ssh_config Hostname options has
been checked in and will be in openssh-5.6. This should allow the hacky
approach that we discussed on the mailing list:

Host *.*
  Hostname %h

Host *
  Hostname %h.my.domain.org

Without requiring new API from the resolver, I can't think of a better
way unfortunately.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1745

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Darren Tucker <dtucker at zip.com.au>  ---
With the release of OpenSSH 5.6p1 this bug is now considered closed. 
If you have further problems please reopen or file a new bug as
appropriate.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.