[Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Sep 12 05:52:32 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=393
------- Additional Comments From mouring at eviladmin.org 2002-09-12 05:52 -------
Your missing his point about 'hostbased' authentication. By allowing
host/ip:port you run into a problem when you go to do hostbased
authentication. Instead of having a 1-to-1 assocation you have a 1-to-many.
And randomly pick from the many is opening yourself up to potental spoofing.
if I have 10 keys all say 'etoh.eviladmin.org' but from 10 different ports. Do
you really want to trust that the right random key will be used for hostbased
auth?
No, I agree with Markus. Until one can show how host/ip:port format and
hostbased auth can interact pinning it down to a 1-to-1 test then I doubt such
a patch will be accepted. When I stay 'show how'... I'm stating WITHOUT RFC
modifications. Full interop with existing installs.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list