ssh/knownhosts: add IsHostAuthority.
This is a breaking change.
This adds a new hostkey callback which takes the hostname field
restrictions into account when validating host certificates.
Prior to this, a known_hosts file with the following entry
@cert-authority *.example.com ssh-rsa <example.com public key>
would, when passed to knownhosts.New() generate an ssh.HostKeyCallback
that would accept all host certificates signed by the example.com public
key, no matter what host the client was connecting to.
After this change, that known_hosts entry can only be used to validate
host certificates presented when connecting to hosts under *.example.com
This also renames IsAuthority to IsUserAuthority to make its intended
purpose more clear.
Reviewed-by: Han-Wen Nienhuys <firstname.lastname@example.org>
Run-TryBot: Han-Wen Nienhuys <email@example.com>
TryBot-Result: Gobot Gobot <firstname.lastname@example.org>
4 files changed