openssh unix dev - Feb 2015 - Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal.

Howdy --

I have a number of servers with host keys validated by certificates.
These systems are behind a load-balanced frontend, and the
certificates are signed as valid for the DNS name used by that common
frontend address.

This works well for the primary use case of the systems; however, when
wishing to address only a single unit within the pool, the certificate
cannot be used to validate that host's legitimacy, as the individual
address of that host does not match against the name listed in the
principal.
>From the perspective of the end user, wishing to connect against a
specific address (as specified in the HostName option), but perform
validation against a user-specified name that differs from that
address seems a legitimate request -- one may also have a situation
where name resolution is not available, for instance, and wish to
connect to a system whose name is known by IP without the situation
posited above.

I'd like to propose that if HostKeyAlias is set, this be used as a
second name against which a certificate may be considered valid,
should it match.


A trivial patch implementing this behavior is attached.

On 19/02/15 19:37, Charles Duffy wrote:
> A trivial patch implementing this behavior is attached.
Also stripped by the mailing list. Make sure you are attaching it with 
the proper mime type.


PS: That seems a good idea.

The note is appreciated. This patch is now available from github, as
https://github.com/charles-dyfis-net/openssh-portable/compare/openssh:773dda2...charles-dyfis-net:host-key-alias-cert-check
and as inline plaintext below.

>From 367fd8323d864daaf486047850f93c2167c66f37 Mon Sep 17 00:00:00 2001
From: Charles Duffy <charles at threatgrid.com>
Date: Tue, 17 Feb 2015 09:49:32 -0600
Subject: [PATCH] Allow HostKeyAlias to match a host certificate principal if
 HostName does not

---
 sshconnect.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sshconnect.c b/sshconnect.c
index df921be..666c3ff 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -902,7 +902,8 @@ check_host_key(char *hostname, struct sockaddr
*hostaddr, u_short port,
                debug("Found %s in %s:%lu", want_cert ? "CA
key" : "key",
                    host_found->file, host_found->line);
                if (want_cert && !check_host_cert(hostname, host_key))
-                       goto fail;
+                       if (options.host_key_alias == NULL ||
!check_host_cert(options.host_key_alias, host_key))
+                               goto fail;
                if (options.check_host_ip && ip_status == HOST_NEW) {
                        if (readonly || want_cert)
                                logit("%s host key for IP address "
--
2.0.0

On Thu, Feb 19, 2015 at 3:32 PM, ?ngel Gonz?lez <keisial at gmail.com>
wrote:
> On 19/02/15 19:37, Charles Duffy wrote:
>>
>> A trivial patch implementing this behavior is attached.
>
> Also stripped by the mailing list. Make sure you are attaching it with the
> proper mime type.
>
>
> PS: That seems a good idea.
>
>
>