known_hosts file and server keys

Dirk Stoecker misc at dstoecker.de
Wed Jun 22 17:59:59 EST 2005


Hello,

for some time now I wonder about the way the known_hosts file contains the 
server keys. Let's look at a part of my known_hosts file:

shell.sf.net,66.35.250.208 ssh-dss AAAAB3NzaC1kc3MAAACBA...
shell.sourceforge.net ssh-dss AAAAB3NzaC1kc3MAAACBA...

As you can see, there are two entries, which describe the same host. When 
the file is empty and I do each connect after another, I always get the 
question
"The authenticity of host 'foo (bar)' can't be established."

This is even true for alias names which I can create on my local system.

Suggestion:
a) Join all equal hosts in one line.
b) When a new name is entered, which matches the IP of one of the old
   server certificates bring a different warning, which tells something
   like
   "Host foo unknown, but seems to be bar1, bar2, ... Is this correct?
   Possibly make a switch to skip this message and set it true always.
c) When the IP does not match any of the knwon ones, but the server
   certificate does (server with different IP's and different names)
   do a question like:
   "Host foo unknwon, but certificate is equal to bar1, bar2, ..."

The changed messages would help to increase understanding. When connecting 
a second or third time to a server and get asked everytime that the 
certificate is not known (because you used another alias), then you tend
to answer yes all the time.

The joined lines in the known_hosts file would make maintaining such files 
easier.

Ciao
-- 
 ____  _ _  ____  _ _    _ _  ____
|    |  |  |    |  | \  / |  |    | the cool Gremlin from Bischofswerda
|  __   |   ____|  |  \/  |  |    | WWW: http://www.dstoecker.de/
|    |  |  |       |      |  |    | PGP key available on www page.
|____| _|_ |____| _|_    _|_ |____| I hope AMIGA never stops making fun!




More information about the openssh-unix-dev mailing list