[Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP

Ben Lindstrom mouring at etoh.eviladmin.org
Wed Sep 11 09:50:14 EST 2002


On Tue, 10 Sep 2002, Carson Gaspar wrote:

[..]
>
> > and: the entry matters for hostbased authentication: you have
> > 10 entries for the same ip, what key is the correct key?
>
> The one with the correct _name_. I thought we'd solved this ages ago - the
> source IP is _meaningless_ for host based auth, especially with NAT being
> so common. The name that is presented is all that matters. This used to
> work - did it get broken recently?
>

Your missing his point.

The whine about

machine.domain.com:22

vs

machine.domain.com:2222

If you have BOTH in your known_hosts due to the fact machine.domain.com is
a NAT box and port 2222 is really an internal machine.  How does hostbased
authentication know which one to use?

He is not refering to vhost1.domain.com and vhost2.domain.com resolving to
one key.  Where you got that is beyond me.

- Ben




More information about the openssh-unix-dev mailing list