[Bug 1777] KnownHostsCommand
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Oct 23 15:02:43 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=1777
--- Comment #4 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> ---
(In reply to Damien Miller from comment #3)
> This is possible to do, but without some significant changes is
> likely to be fairly inefficient.
>
> ssh reads known_hosts a couple of times during connection. At least
> once to figure out what host key algorithms are in use, then again
> to verify the hostkey sent
This kind of information is host specific, and seems like it could be
directly cached instead of re-read. is this the sort of significant
changes you're talking about, or is there more that needs doing?
> and (optionally) a couple of times to
> deal with UpdateHostkeys messages from the server.
UpdateHostKeys seems like it's about modifying the stored keys, right?
that's a different thing than just reading it.
We'd need to specify some sort of interface for sending back updates to
the KnownHostsCommand as well, and this isn't something that was
specified in the initial feature request.
> This could result in the KnownHostsCommand being run a bunch of
> times and, unless it was very efficient, could make ssh pretty slow.
even with caching and a single run for reading, a slow
KnownHostsCommand will make ssh pretty slow, in the same way that the
existing ProxyCommand can also make ssh pretty slow. This is a
tradeoff that someone configuring a KnownHostsCommand would need to
make explicitly, but i don't think should rule it out as a feature.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list