[Bug 2673] Multiple ssh keys for a given server
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 30 20:57:10 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2673
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to George Shuklin from comment #0)
[...]
> 1) server booting from golden image. Golden image has 'build-in'
> host ssh key which is changed after system configuration management
> application set up proper ssh key for server.
The down side is that anyone with access to the golden image could MITM
connections.
> 2) server may reboot between two different operating systems, each
> using own host ssh key.
Copy one set of host keys and use it on both OSes.
> 3) DynDNS-related shuffling between few servers (at given time
> server is occupying on of the few known IPs, and is causing false
> alerts if that IP was known to be used by previous server).
Use CheckHostIP=no in the config for such hosts.
[...]
> Proposition: permit multiple host keys for a given server name
> and/or IP address.
Anyway, that's already possible but for different host key types. You
could set HostKeyAlgorithms=ssh-rsa for one host and
HostKeyAlgorithms=ssh-ed25519 on the other.
I think having multiple keys of the same type valid for one host is a
risk, though.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list