Hostname handling of openssh
Christian Kurz
shorty at getuid.de
Wed Jan 17 18:26:50 EST 2001
Hi,
I got the following bugreport which makes the submitter very confused:
> $ ssh host
> The authenticity of host 'host' can't be established.
> RSA key fingerprint is 38:bf:b9:a3:e3:64:9a:28:c7:5f:ba:87:12:06:a9:10.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'host,192.168.33.23' (RSA) to the list of known hosts.
> Last login: Tue Jan 16 23:13:38 2001 from host2.doma.in on pts/8
> Linux host 2.2.17pre16 #1 Fri Aug 11 22:00:38 CEST 2000 i686 unknown
> You have newmail.
> host% logout
> Connection to host closed.
> $ grep host .ssh/known_hosts
> host,192.168.33.23 1024 35 12131082570035376314617778062669953008287727...
> As you can see, it *does* add the IP number now (which is a good thing)
> but still not the FQDN. If the CVS version works for you, it is either
> a bug that got fixed, or the Debian package wasn't built properly.
> However I read the manpage of ssh, which says:
> The canonical system name (as returned by name servers) is used
> by sshd(8) to verify the client host when logging in; other names
> are needed because ssh does not convert the user-supplied name to
> a canonical name before checking the key, because someone with
> access to the name servers would then be able to fool host au-
> thentication.
> The weird thing is that this was in the manpage for 1.2.3 as well,
> in which ssh which _does_ convert the user-supplied name to a canonical name.
> So now I'm confused - 1.2.3, the manpages, and apparently the CVS
> versions all describe and do different things.
> I think that the canonical name should be used when CheckHostIP
> is set to yes.
I just noticed that this really happens with the CVS-Version. So could
one of you guys please enlighten me?
Ciao
Christian
--
While the year 2000 (y2k) problem is not an issue for us, all Linux
implementations will impacted by the year 2038 (y2.038k) issue. The Debian
Project is committed to working with the industry on this issue and we will
have our full plans and strategy posted by the first quarter of 2020.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 242 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010117/293d5e97/attachment.bin
More information about the openssh-unix-dev
mailing list