OpenSSH Key Storage
Kevin Steves
stevesk at pobox.com
Sun Feb 3 09:35:01 EST 2002
On Fri, 1 Feb 2002, Dan Astoorian wrote:
:> if i connect to
:> folly.openssh.com
:> then i want the host key verified against the entry for
:> folly.openssh.com
:
:This might be a silly question:
:
:The ssh client looks up the name provided on the command line in the
:known_hosts databases, and compares the key provided by the server
:against the one looked up.
yes, modulo Host, HostKeyAlias and HostName ssh_config and -o handling.
also, CheckHostIP.
:Might it not make more sense for the mapping to happen in the other
:direction? I.e., to look up the key provided by the server to get a
:list of known names and addresses associated with it?
:
:That way, if I type
: ssh -p 2202 proxy.example.com
:
:and that ultimately gets to folly.openssh.com:22, then the SSH client
:could issue a warning like "You have requested a connection to
:proxy.example.com, but the host you have connected to identifies itself
:with the host key belonging to folly.openssh.com. Are you sure you want
:to continue connecting?"
it's an interesting approach. i think many of us would prefer not to have
a bunch of duplicated keys in known_hosts databases.
the rigorous approach is to process this manually via HostKeyAlias,
however i believe we also want to support direct address:port storage and
verification.
:Optionally, there could be a mechanism for the client to remember this
:equivalence.
:
:I think this behaviour could be an improvement over the current
:behaviour of saying the host is simply unknown. (I frequently get
:"authenticity...can't be established" warnings because I used a
:partially-qualified name or a CNAME for a host I've connected to
:before.)
:
:It may not be trivial to implement this behaviour, however.
i agree.
More information about the openssh-unix-dev
mailing list