OpenSSH Key Storage

Dan Astoorian djast at
Sat Feb 2 04:00:34 EST 2002

On Fri, 01 Feb 2002 03:43:35 EST, Markus Friedl writes:
> if i connect to
> then i want the host key verified against the entry for

This might be a silly question:

The ssh client looks up the name provided on the command line in the
known_hosts databases, and compares the key provided by the server
against the one looked up.

Might it not make more sense for the mapping to happen in the other
direction?  I.e., to look up the key provided by the server to get a
list of known names and addresses associated with it?

That way, if I type
    ssh -p 2202

and that ultimately gets to, then the SSH client
could issue a warning like "You have requested a connection to, but the host you have connected to identifies itself
with the host key belonging to  Are you sure you want
to continue connecting?"

Optionally, there could be a mechanism for the client to remember this

I think this behaviour could be an improvement over the current
behaviour of saying the host is simply unknown.  (I frequently get
"authenticity...can't be established" warnings because I used a
partially-qualified name or a CNAME for a host I've connected to

It may not be trivial to implement this behaviour, however.

Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at        not, it's better to have loved and won.  All  the other options really suck.    --Dan Redican

More information about the openssh-unix-dev mailing list