[Bug 2293] ssh should have an option to automatically trust a local sshd's host key for a given set of names

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Oct 21 12:57:06 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2293

--- Comment #1 from Christoph Anton Mitterer <calestyo at scientia.net> ---
I just saw, that NoHostAuthenticationForLocalhost=yes nearly already
does what I've asked for.

It even works for other names than "localhost", e.g. "ip6-localhost" or
"hostname" "hostname.fqdn", so I guess the check, whether a target is
localhost, is based on whether it resolves to 127.0.0.0/8 or ::1 ,
right?

1) I think it would be nice to have it in the manpage, how it actually
determines whether a host is local.


2) The only thing what would be missing from what I've asked for above,
is that it would also work for addresses (and names resolving to these)
that are bound to local interfaces, e.g. if my eth0 listens to 1.2.3.4,
then it is accepted as well.

But I'm no longer sure myself, whether this would be so smart and
secure.
The loopback device is defined to really go to the localhost only, but
any other addresses my have black magic functionality (e.g. address
rewriting).



I've reworked the documentation a bit:
https://github.com/openssh/openssh-portable/pull/10

Afterwards I think we can close this issue.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list