OpenSSH Key Storage

Carson Gaspar carson at
Sat Feb 2 05:18:08 EST 2002

If you want to bind identity to a server, you have only 2 valid options:

- Pass the server's identity in-band, and have the client use that when 
validating keys. This avoids a layering violation.
- Have the client validate the key against the layer 3/4 info - i.e. the 
IP:PORT pair.

Nothing else is sane. Servers on different ports are different servers, 
that may, or may not, have the same keys. Requiring config file gymnastics 
is bogus.

Sadly, after reading the RFC, it looks like the server never sends its name 
during the key exchange, making the first (and better) option impossible. I 
hope I'm wrong and just mis-understood the documents.


More information about the openssh-unix-dev mailing list