OpenSSH Key Storage

Michael T. Babcock mbabcock at
Sat Feb 2 05:19:11 EST 2002

On Fri, Feb 01, 2002 at 07:04:36PM +0100, Markus Friedl wrote:
> > No, you're blaming that supposed behaviour incorrectly; that
> > would happen already if the user connected to that machine that
> > way.  In fact, if I connect to my server on a different port, it
> > tells me the key has changed -- which it hasn't; its just a different
> > session.
> well, show should ssh know?

SSH should know that a connection is a remote host + ip pair, the same as
TCP does, which SSH rides on.  Host+IP is how all connections in TCP are
described; we all know that.  How the user connects to the remote machine
is what is important; if I connect using an alias "Comp1" then I configure
that and go.  If I connect using specified ports, that should work equally
well.  You're confusing user behaviour and software behaviour I think.

> > This is fixed manually with the config file, but the behaviour you
> > describe could happen _now_, with or without my proposed change.
> well, but your proposed change encourages this behaviour, while
> HostKeyAlias does not.

No, my proposed change simply decreases the need for HostKeyAlias which you
seem to like (and I don't think should be necessary in many cases).  My
proposal means that users (who have situations like the one I described) don't
have to contend with OpenSSH claiming their host key has changed; this leads
to people just always saying "yes" to the verification prompt and decreases
secure usage.

I cannot think of a good reason _not_ to support the storage of keys on a
host+ip basis.  It does not, in any case described, decrease security from
what we have now and I believe it increases security.
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)

More information about the openssh-unix-dev mailing list