[jira] [Resolved] (SSHD-1167) KnownHostsServerKeyVerifier: handle CA keys

Thomas Wolf (Jira) Thu, 27 Feb 2025 14:12:09 -0800


     [ 
https://issues.apache.org/jira/browse/SSHD-1167?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Thomas Wolf resolved SSHD-1167.
-------------------------------
    Fix Version/s: 2.16.0
         Assignee: Thomas Wolf
       Resolution: Fixed

Fixed with 
[18e30f691|https://github.com/apache/mina-sshd/commit/18e30f69174bb693a6cc622bcc8d9fdb033546f0].

> KnownHostsServerKeyVerifier: handle CA keys
> -------------------------------------------
>
>                 Key: SSHD-1167
>                 URL: https://issues.apache.org/jira/browse/SSHD-1167
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 2.8.0
>            Reporter: Thomas Wolf
>            Assignee: Thomas Wolf
>            Priority: Major
>             Fix For: 2.16.0
>
>
> {{AbstractClientSession.checkKeys()}} correctly calls the 
> {{ServerKeyVerifier}} to verify the CA key. 
> OpenSSH considers for the check of the CA public key only entries in 
> known_hosts that have the "@cert-authority" marker. 
> {{KnownHostsServerKeyVerifier}} should do the same.
> This may need an API change to tell the {{ServerKeyVerifier}} whether the 
> public key being verified is a CA key or not.
> Also, CA public keys are never added to known_hosts in OpenSSH? At least 
> that's the impression I get when looking through the OpenSSH code.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

[jira] [Resolved] (SSHD-1167) KnownHostsServerKeyVerifier: handle CA keys

Reply via email to