[Bug 910] known_hosts port numbers

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Sep 9 21:33:01 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=910





------- Additional Comments From jherek at gmail.com  2005-09-09 21:33 -------
Let me add to the voice of support for including ports into the known_hosts file
(it's unclear to me from reading the comments as to whether there is an intent
to put it into the distribution or whether it will remain a patch).

There are many perfectly legitimate situations in which multiple ssh ports are
open on different ports, and there is no reason why they should all have the
same "host key".  In fact, the name "host key" presupposes, without much good
evidence, that "host" is the appropriate administrative unit for security; let's
call it a "service key", and then it's obvious that it should be stored under
both host and port.

I understand that the maintainers are concerned about spoofing, but the
scenarios that would lead to that strike me as unlikely.  In contrast, the
current situation causes everybody to constantly delete keys from known_hosts,
which really creates the potential for man-in-the-middle attacks.  

The problem is exacerbated by the poor documentation of this problem in the ssh
manual page.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list