OpenSSH Key Storage
Carson Gaspar
carson at taltos.org
Sat Feb 2 05:18:08 EST 2002
If you want to bind identity to a server, you have only 2 valid options:
- Pass the server's identity in-band, and have the client use that when
validating keys. This avoids a layering violation.
- Have the client validate the key against the layer 3/4 info - i.e. the
IP:PORT pair.
Nothing else is sane. Servers on different ports are different servers,
that may, or may not, have the same keys. Requiring config file gymnastics
is bogus.
Sadly, after reading the RFC, it looks like the server never sends its name
during the key exchange, making the first (and better) option impossible. I
hope I'm wrong and just mis-understood the documents.
--
Carson
More information about the openssh-unix-dev
mailing list