[Bug 393] New: 'known_hosts' file should be indexed by IP:PORT, not just IP
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Sep 11 06:11:18 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=393
Summary: 'known_hosts' file should be indexed by IP:PORT, not
just IP
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ssh
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: eric at addamark.com
The current logic for using the 'known_hosts' file is broken with respect to
NAT. The current logic assumes that there is a 1:1 relationship between an IP
Address and a physical host. This is not true. The correct logic would be to
associate each IP:PORT pair with a physical host.
The current logic breaks if the SSH server is behind a NAT device that does
port mapping. For example, 156.32.67.132:22 does not necessarily go to the
same physical host as 156.32.67.132:1022.
The problem one sees as a result of this is that the 'StrictHostChecking'
and 'CheckHostIP' settings in ssh_config will cause 'ssh' to fail when it
shouldn't. We ran into this today when I mapped a second SSH server through
our firewall on a new port.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list