[Bug 80] Host key conflict with two servers on one IP

Thu Aug 22 04:57:58 EST 2002

http://bugzilla.mindrot.org/show_bug.cgi?id=80

------- Additional Comments From eric-ossh at brouhaha.com  2002-08-22 04:57 -------
This "HostKeyAlias" business seems like a flimsy excuse for not implmeenting a
feature that users want.  In this age of ubiquitous firewalls and NAT, it is NOT
reasonable to assume that two ports on the same IP address refer to the same
host, or to the same SSH server.  Even if you run two SSH daemons on one host,
as Dan Kaminsky suggests, it is NOT necessarily the case that they are under the
same administrative control or have the same security requirements, so it is not
reasonable to assume that they must have the same key.

I fail to see what the harm would be in storing the port number as part of the
known hosts database.  In the rare cases where there were two ports on the same
SSH server that did use the same key, it's not like this would cause the user
any problems.

Furthermore, it is not clear how to use the HostAlias option in a configuration
file to do the right thing.  It may well be possible, but the documentation does
not explain it adequately.  Suppose I have a machine "firewall", and port 1234
on its IP address is mapped to port 22 on an internal host "foo".  I tried
putting the following in the SSH configuration of an external machine:

     Host foo
          HostKeyAlias foo
          HostName firewall
          Port 1234

This basically works, except that it still gives a warning:

  Warning: the RSA host key for 'foo' differs from the key for the IP address
'xx.xx.xx.xx'
  Offending key for IP in /home/xx/.ssh/known_hosts:xx
  Matching host key in /home/ss/.ssh/known_hosts:xx
  Are you sure you want to continue connecting (yes/no)? 

So my questions are:

1)  What do I need to put in my SSH config so that I can say "ssh foo" and
    get the right behavior?

2)  Why is it so undesirable to simply implement a reasonable feature that
    users want?  I'd much rather just say "ssh -p 1234 firewall" and have
    the right thing happen, because I have a lot of hosts behind firewalls,
    and a lot of outside hosts that access them, and I really don't want
    to have to create n*m entries in SSH configurations to deal with it.

Lest you think that I'm begging for someone else to spend time writing code
for me, I'll point out that I'm perfectly happy to write the patch, provided
that there's a reasonable chance that it will be integrated into the standard
code base.  I don't want to have to rebuild SSH to add the patch every time
there's an update from the vendor; I would much rather see this feature
become standard, and it's obvious that other users would also.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.