OpenSSH Key Storage

Kevin Steves stevesk at
Sun Feb 3 09:35:01 EST 2002

On Fri, 1 Feb 2002, Dan Astoorian wrote:
:> if i connect to
:> then i want the host key verified against the entry for
:This might be a silly question:
:The ssh client looks up the name provided on the command line in the
:known_hosts databases, and compares the key provided by the server
:against the one looked up.

yes, modulo Host, HostKeyAlias and HostName ssh_config and -o handling.
also, CheckHostIP.

:Might it not make more sense for the mapping to happen in the other
:direction?  I.e., to look up the key provided by the server to get a
:list of known names and addresses associated with it?
:That way, if I type
:    ssh -p 2202
:and that ultimately gets to, then the SSH client
:could issue a warning like "You have requested a connection to, but the host you have connected to identifies itself
:with the host key belonging to  Are you sure you want
:to continue connecting?"

it's an interesting approach.  i think many of us would prefer not to have
a bunch of duplicated keys in known_hosts databases.

the rigorous approach is to process this manually via HostKeyAlias,
however i believe we also want to support direct address:port storage and

:Optionally, there could be a mechanism for the client to remember this
:I think this behaviour could be an improvement over the current
:behaviour of saying the host is simply unknown.  (I frequently get
:"authenticity...can't be established" warnings because I used a
:partially-qualified name or a CNAME for a host I've connected to
:It may not be trivial to implement this behaviour, however.

i agree.

More information about the openssh-unix-dev mailing list