[Bug 2673] Multiple ssh keys for a given server

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 30 20:57:10 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2673

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to George Shuklin from comment #0)
[...] 
> 1) server booting from golden image. Golden image has 'build-in'
> host ssh key which is changed after system configuration management
> application set up proper ssh key for server.

The down side is that anyone with access to the golden image could MITM
connections.

> 2) server may reboot between two different operating systems, each
> using own host ssh key.

Copy one set of host keys and use it on both OSes.

> 3) DynDNS-related shuffling between few servers (at given time
> server  is occupying on of the few known IPs, and is causing false
> alerts if that IP was known to be used by previous server).

Use CheckHostIP=no in the config for such hosts.

[...]
> Proposition: permit multiple host keys for a given server name
> and/or IP address.

Anyway, that's already possible but for different host key types.  You
could set HostKeyAlgorithms=ssh-rsa for one host and
HostKeyAlgorithms=ssh-ed25519 on the other.

I think having multiple keys of the same type valid for one host is a
risk, though.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list