upstream commit
use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728; ok dtucker@ Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
This commit is contained in:
parent
8904ffce05
commit
6f8ca3b925
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.250 2017/05/30 19:38:17 jmc Exp $
|
||||
.Dd $Mdocdate: May 30 2017 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.251 2017/06/24 05:35:05 djm Exp $
|
||||
.Dd $Mdocdate: June 24 2017 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -809,7 +809,7 @@ The list of available key types may also be obtained using
|
|||
.It Cm HostKeyAlias
|
||||
Specifies an alias that should be used instead of the
|
||||
real host name when looking up or saving the host key
|
||||
in the host key database files.
|
||||
in the host key database files and when validating host certificates.
|
||||
This option is useful for tunneling SSH connections
|
||||
or for multiple servers running on a single host.
|
||||
.It Cm HostName
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect.c,v 1.280 2017/05/30 14:13:40 markus Exp $ */
|
||||
/* $OpenBSD: sshconnect.c,v 1.281 2017/06/24 05:35:05 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -863,7 +863,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
|||
host, type, want_cert ? "certificate" : "key");
|
||||
debug("Found %s in %s:%lu", want_cert ? "CA key" : "key",
|
||||
host_found->file, host_found->line);
|
||||
if (want_cert && !check_host_cert(hostname, host_key))
|
||||
if (want_cert &&
|
||||
!check_host_cert(options.host_key_alias == NULL ?
|
||||
hostname : options.host_key_alias, host_key))
|
||||
goto fail;
|
||||
if (options.check_host_ip && ip_status == HOST_NEW) {
|
||||
if (readonly || want_cert)
|
||||
|
|
24
sshd.8
24
sshd.8
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $
|
||||
.Dd $Mdocdate: May 7 2017 $
|
||||
.\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $
|
||||
.Dd $Mdocdate: June 24 2017 $
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns
|
|||
and
|
||||
.Ql \&?
|
||||
act as
|
||||
wildcards); each pattern in turn is matched against the canonical host
|
||||
name (when authenticating a client) or against the user-supplied
|
||||
name (when authenticating a server).
|
||||
wildcards); each pattern in turn is matched against the host name.
|
||||
When
|
||||
.Nm sshd
|
||||
is authenticating a client, such as when using
|
||||
.Cm HostbasedAuthentication ,
|
||||
this will be the canonical client host name.
|
||||
When
|
||||
.Xr ssh 1
|
||||
is authenticating a server, this will be the either the host name
|
||||
given by the user, the value of the
|
||||
.Xr ssh 1
|
||||
.Cm HostkeyAlias
|
||||
if it was specified, or the canonical server hostname if the
|
||||
.Xr ssh 1
|
||||
.Cm CanonicalizeHostname
|
||||
option was used.
|
||||
.Pp
|
||||
A pattern may also be preceded by
|
||||
.Ql \&!
|
||||
to indicate negation: if the host name matches a negated
|
||||
|
|
Loading…
Reference in New Issue