upstream commit

use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728; ok dtucker@

Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
This commit is contained in:
djm@openbsd.org 2017-06-24 05:35:05 +00:00 committed by Damien Miller
parent 8904ffce05
commit 6f8ca3b925
3 changed files with 26 additions and 10 deletions

View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.250 2017/05/30 19:38:17 jmc Exp $ .\" $OpenBSD: ssh_config.5,v 1.251 2017/06/24 05:35:05 djm Exp $
.Dd $Mdocdate: May 30 2017 $ .Dd $Mdocdate: June 24 2017 $
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -809,7 +809,7 @@ The list of available key types may also be obtained using
.It Cm HostKeyAlias .It Cm HostKeyAlias
Specifies an alias that should be used instead of the Specifies an alias that should be used instead of the
real host name when looking up or saving the host key real host name when looking up or saving the host key
in the host key database files. in the host key database files and when validating host certificates.
This option is useful for tunneling SSH connections This option is useful for tunneling SSH connections
or for multiple servers running on a single host. or for multiple servers running on a single host.
.It Cm HostName .It Cm HostName

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.280 2017/05/30 14:13:40 markus Exp $ */ /* $OpenBSD: sshconnect.c,v 1.281 2017/06/24 05:35:05 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -863,7 +863,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
host, type, want_cert ? "certificate" : "key"); host, type, want_cert ? "certificate" : "key");
debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", debug("Found %s in %s:%lu", want_cert ? "CA key" : "key",
host_found->file, host_found->line); host_found->file, host_found->line);
if (want_cert && !check_host_cert(hostname, host_key)) if (want_cert &&
!check_host_cert(options.host_key_alias == NULL ?
hostname : options.host_key_alias, host_key))
goto fail; goto fail;
if (options.check_host_ip && ip_status == HOST_NEW) { if (options.check_host_ip && ip_status == HOST_NEW) {
if (readonly || want_cert) if (readonly || want_cert)

24
sshd.8
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $ .\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $
.Dd $Mdocdate: May 7 2017 $ .Dd $Mdocdate: June 24 2017 $
.Dt SSHD 8 .Dt SSHD 8
.Os .Os
.Sh NAME .Sh NAME
@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns
and and
.Ql \&? .Ql \&?
act as act as
wildcards); each pattern in turn is matched against the canonical host wildcards); each pattern in turn is matched against the host name.
name (when authenticating a client) or against the user-supplied When
name (when authenticating a server). .Nm sshd
is authenticating a client, such as when using
.Cm HostbasedAuthentication ,
this will be the canonical client host name.
When
.Xr ssh 1
is authenticating a server, this will be the either the host name
given by the user, the value of the
.Xr ssh 1
.Cm HostkeyAlias
if it was specified, or the canonical server hostname if the
.Xr ssh 1
.Cm CanonicalizeHostname
option was used.
.Pp
A pattern may also be preceded by A pattern may also be preceded by
.Ql \&! .Ql \&!
to indicate negation: if the host name matches a negated to indicate negation: if the host name matches a negated