search for: check_host_cert

...ted for a given host/port - and I think that's what you are referring to above. However once a line from known hosts is allowed for evaluation for a host/port, there's a second matter of checking whether the certificate presented contains the appropriate principal. I think this what "check_host_cert()" does, and as far as I can tell, OpenSSH only passes it the hostname (not "host:port"). See: https://github.com/openssh/openssh-portable/blob/f382362e8dfb6b277f16779ab1936399d7f2af78/sshconnect.c#L866 (for better or for worse, this would be roughly inline with X.509v3 cert host ma...

Howdy -- I have a number of servers with host keys validated by certificates. These systems are behind a load-balanced frontend, and the certificates are signed as valid for the DNS name used by that common frontend address. This works well for the primary use case of the systems; however, when wishing to address only a single unit within the pool, the certificate cannot be used to validate that

Hi all, Last week I noticed that the CertChecker in the Go implementation of x/crypto/ssh seems to be doing host principal validation incorrectly and filed the following bug: https://github.com/golang/go/issues/20273 By default they are looking for a principal named "host:port" inside of the certificate presented by the server, instead of just looking for the host as I believe OpenSSH