[Bug 2673] Multiple ssh keys for a given server

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 30 21:42:49 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2673

--- Comment #3 from George Shuklin <george.shuklin at gmail.com> ---
(In reply to Darren Tucker from comment #1)
> (In reply to George Shuklin from comment #0)
> [...] 
> > 1) server booting from golden image. Golden image has 'build-in'
> > host ssh key which is changed after system configuration management
> > application set up proper ssh key for server.
> 
> The down side is that anyone with access to the golden image could
> MITM connections.

Yes, there is a risk, but it's less than 'use -R every time'. Adding
additional keys is not default configuration, so unexpected users
wouldn't be affected.

> > Proposition: permit multiple host keys for a given server name
> > and/or IP address.
> 
> Anyway, that's already possible but for different host key types. 
> You could set HostKeyAlgorithms=ssh-rsa for one host and
> HostKeyAlgorithms=ssh-ed25519 on the other.
> 
> I think having multiple keys of the same type valid for one host is
> a risk, though.


Is any reason why to have two different keys with different algo is OK,
but to have two different keys with same algo is not OK?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list