[ssh_x509] x509v3-ssh-rsa hostkey algorithm on Cisco IOS XE

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Feb 23 11:10:02 EET 2020


ssh_x509 at roumenpetrov.info wrote:
> Hello Sergei,
>
> ssh_x509 at roumenpetrov.info wrote:
>> Hello Roumen, 
[SNIP]
>> Am I understanding right that as of now PKIX-SSH just compares CN in the
>> certificate that it was presented with and if there's a match, it 
>> considers
>> that SSH server is authentic?
>
> This sound like regression ...

This is regression in 11.3 release. Now is corrected (code pushed to 
repository) and will be part of 12.4.2 release.
With restored functionality X.509 host keys is verified and validated 
before check in known host file.
New model is different then previous (all pre 11.3 release) where x.509 
host key was checked first and then verified and validated.

Thanks for remark,
Roumen Petrov




More information about the ssh_x509 mailing list