search for: want_cert

Howdy -- I have a number of servers with host keys validated by certificates. These systems are behind a load-balanced frontend, and the certificates are signed as valid for the DNS name used by that common frontend address. This works well for the primary use case of the systems; however, when wishing to address only a single unit within the pool, the certificate cannot be used to validate that

...ort, Key *raw_key = NULL; char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; - char msg[1024]; + char msg[2048]; const char *type; const struct hostkey_entry *host_found, *ip_found; int len, cancelled_forwarding = 0; int local = sockaddr_is_local(hostaddr); int r, want_cert = key_is_cert(host_key), host_ip_differ = 0; - struct hostkeys *host_hostkeys, *ip_hostkeys; + struct hostkeys *host_hostkeys, *ip_hostkeys, *key_hostkeys = NULL; u_int i; /* @@ -758,17 +758,17 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, host_hostkeys = init...

...tline[1000], *hostp, *fp, *ra; + char hostline[1000], *hostp, *fp, *cafp, *ra; char msg[1024]; const char *type, *fail_reason = NULL; const struct hostkey_entry *host_found = NULL, *ip_found = NULL; @@ -973,6 +973,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, int r, want_cert = sshkey_is_cert(host_key), host_ip_differ = 0; int hostkey_trusted = 0; /* Known or explicitly accepted by user */ struct hostkeys *host_hostkeys, *ip_hostkeys; + struct sshkey *cert = NULL; u_int i; /* @@ -1189,13 +1190,20 @@ check_host_key(char *hostname, const struct ssh_conn_info *ci...