OpenSSH Key Storage
Dan Astoorian
djast at cs.toronto.edu
Sat Feb 2 04:00:34 EST 2002
On Fri, 01 Feb 2002 03:43:35 EST, Markus Friedl writes:
> if i connect to
> folly.openssh.com
> then i want the host key verified against the entry for
> folly.openssh.com
This might be a silly question:
The ssh client looks up the name provided on the command line in the
known_hosts databases, and compares the key provided by the server
against the one looked up.
Might it not make more sense for the mapping to happen in the other
direction? I.e., to look up the key provided by the server to get a
list of known names and addresses associated with it?
That way, if I type
ssh -p 2202 proxy.example.com
and that ultimately gets to folly.openssh.com:22, then the SSH client
could issue a warning like "You have requested a connection to
proxy.example.com, but the host you have connected to identifies itself
with the host key belonging to folly.openssh.com. Are you sure you want
to continue connecting?"
Optionally, there could be a mechanism for the client to remember this
equivalence.
I think this behaviour could be an improvement over the current
behaviour of saying the host is simply unknown. (I frequently get
"authenticity...can't be established" warnings because I used a
partially-qualified name or a CNAME for a host I've connected to
before.)
It may not be trivial to implement this behaviour, however.
--
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast at cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
More information about the openssh-unix-dev
mailing list