bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-12 14:42 UTC
[Bug 2728] New: HostKeyAlias not respected for certificate authority host key validation
https://bugzilla.mindrot.org/show_bug.cgi?id=2728
Bug ID: 2728
Summary: HostKeyAlias not respected for certificate authority
host key validation
Product: Portable OpenSSH
Version: 7.5p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: antonio.e.russo at gmail.com
Created attachment 2994
--> https://bugzilla.mindrot.org/attachment.cgi?id=2994&action=edit
Patch to respect HostKeyAlias when using host certificates
When connecting to ssh server by IP address (or another DNS name), with
HostKeyAlias set to the name of the principal signed by the CA, one
gets:
> key_cert_check_authority: invalid certificate
> Certificate invalid: name is not a listed principal
The proposed patch changes this behavior by using
options.host_key_alias in the contingency that it is set.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-21 12:51 UTC
[Bug 2728] HostKeyAlias not respected for certificate authority host key validation
https://bugzilla.mindrot.org/show_bug.cgi?id=2728 --- Comment #1 from Antonio Russo <antonio.e.russo at gmail.com> --- Is this HostKeyAlias behavior intentional? If it is, is there a way to specify which principal should be expected on a host key certificate? Should another configuration option be introduced to preserve pre-existing configurations' behavior? Is there anything that I can do to help this process? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-23 04:04 UTC
[Bug 2728] HostKeyAlias not respected for certificate authority host key validation
https://bugzilla.mindrot.org/show_bug.cgi?id=2728
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2994|0 |1
is obsolete| |
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
CC| |djm at mindrot.org,
| |dtucker at zip.com.au
Status|NEW |ASSIGNED
Attachment #2998| |ok?(dtucker at zip.com.au)
Flags| |
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 2998
--> https://bugzilla.mindrot.org/attachment.cgi?id=2998&action=edit
with documentation
Add documentation, match style(9)
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-23 04:04 UTC
[Bug 2728] HostKeyAlias not respected for certificate authority host key validation
https://bugzilla.mindrot.org/show_bug.cgi?id=2728
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2698
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-23 04:41 UTC
[Bug 2728] HostKeyAlias not respected for certificate authority host key validation
https://bugzilla.mindrot.org/show_bug.cgi?id=2728
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2998|ok?(dtucker at zip.com.au) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-24 05:50 UTC
[Bug 2728] HostKeyAlias not respected for certificate authority host key validation
https://bugzilla.mindrot.org/show_bug.cgi?id=2728
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Patch applied, this will be in OpenSSH 7.6.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 02:26 UTC
[Bug 2728] HostKeyAlias not respected for certificate authority host key validation
https://bugzilla.mindrot.org/show_bug.cgi?id=2728
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-May-11 03:49 UTC
[Bug 2728] HostKeyAlias not respected for certificate authority host key validation
https://bugzilla.mindrot.org/show_bug.cgi?id=2728
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |charles at dyfis.net
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
*** Bug 2359 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Seemingly Similar Threads
- Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal.
- [Bug 2359] New: [PATCH] Allow HostKeyAlias to be used in hostname check against certificate principal
- [Bug 1039] Incomplete application of HostKeyAlias in ssh
- [Bug 1039] Incomplete application of HostKeyAlias in ssh
- [Bug 2698] New: Tracking bug for OpenSSH 7.6 release