OpenSSH Key Storage

Carson Gaspar carson at taltos.org
Sat Feb 2 05:22:35 EST 2002


--On Friday, February 01, 2002 9:43 AM +0100 Markus Friedl 
<markus at openbsd.org> wrote:

> it has been suggested that the server tells the client:
> 	lookup the hostkey under this 'name'.
> does this really help? doesn't this mean the server
> binds name to key? shouln't the client do this instead?

No. Because the client can't. It doesn't have enough information. You can 
hack it into the client statically via the current alias mechanism, but it 
is amazingly fragile and breaks if anything changes.

The server, on the other hand, knows it's identity. And proves it with it's 
keypair. A rogue host can claim to be mine, but the keypair won't match.

Now, you can try to use DNS as a sucky insecure CA, but is that _really_ a 
good idea?

-- 
Carson




More information about the openssh-unix-dev mailing list