bugzilla-daemon at mindrot.org
2012-Aug-31 09:48 UTC
[Bug 2041] New: Check for SSHFP when certificate is offered.
https://bugzilla.mindrot.org/show_bug.cgi?id=2041 Priority: P5 Bug ID: 2041 Assignee: unassigned-bugs at mindrot.org Summary: Check for SSHFP when certificate is offered. Severity: enhancement Classification: Unclassified OS: All Reporter: ondrej at caletka.cz Hardware: All Status: NEW Version: 6.1p1 Component: ssh Product: Portable OpenSSH Created attachment 2185 --> https://bugzilla.mindrot.org/attachment.cgi?id=2185&action=edit Check for SSHFP when certificate is offered. When the sshd offers a certificate to client (which is default, when such a certificate is configured), the client refuses to do a SSHFP validation for the key embedded in the certificate. This patch fixes this by dropping certificate for the purpose of checking SSHFP records, yet retaining certificate for other checks if SSHFP authentication fails. It is therefore possible to fall back to certificate authentication when for instance client does not have a DNSSEC-enabled connectivity. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Jan-28 12:10 UTC
[Bug 2041] Check for SSHFP when certificate is offered.
https://bugzilla.mindrot.org/show_bug.cgi?id=2041 Ond?ej Caletka <ondrej at caletka.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2185|0 |1 is obsolete| | --- Comment #1 from Ond?ej Caletka <ondrej at caletka.cz> --- Created attachment 2404 --> https://bugzilla.mindrot.org/attachment.cgi?id=2404&action=edit Check for SSHFP when certificate is offered This is the same patch, only rebased to OpenSSH 6.4p1 codebase. -- You are receiving this mail because: You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 2040] New: Downgrade attack vulnerability when checking SSHFP records
- Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
- [Bug 2039] New: Give proper credits for ECDSA patch
- ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
- feature request: modify getrrsetbyname() to use libunbound