OpenSSH Key Storage

Michael T. Babcock mbabcock at fibrespeed.net
Fri Feb 1 15:07:01 EST 2002


I have had a brief discussion with Damien Miller (below) about storing 
host port values in the known_hosts file so as to track multiple ssh 
sessions (with independant keys) that run on a single host but accept 
connections on different ports.  If it were possible to state that a 
given key for a remote host belonged to that host's ssh session on port 
23 and that another key belonged to that same host but the session 
available on port 22, it would take away some of the grief in managing 
such connections.

I am presently using host aliases in the options file to handle this as
Damien suggested but explaining this to my clients is difficult when SSH
(commercial) has this seemingly simple feature built in.

> On Fri, Feb 01, 2002 at 10:17:07AM +1100, Damien Miller wrote:                                                   
> > On Thu, 31 Jan 2002, Michael T. Babcock wrote:                                                                 
> >                                                                                                                
> > > Without having looked at the config parsing code, does openssh care about                                    
> > > how long the line is?  Could the additional information be stored after the                                  
> > > key string on the same line?                                                                                 
> >
> > No, that is used for key comments.
>
> If I may take up more of your time with this, the first pre-space
> section is for hostname(s).  What if the port were specified here?
>
> host,ipaddress,port:22 1024 35 keyvalue1
> host,ipaddress,port:23 1024 35 keyvalue2
>
> As long as the port 22 entry comes first, there are no conflicts that I
> can see and portable OpenSSH is quite happy to connect and validate the
> key in version 3.0.2p1.  The additional information can, however, be
> used by more recent versions to select the correct line.

PS, I am not subscribed to this list.
-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/



More information about the openssh-unix-dev mailing list