Host verification problem
Hadmut Danisch
hadmut at danisch.de
Mon May 16 01:10:04 EST 2005
On Sun, May 15, 2005 at 10:30:27PM +1000, Darren Tucker wrote:
>
> Or use a HostKeyAlias in your ssh_config, eg, for hosts "server1" and
> "server2" behind ports 2222 and 2223 of "gateway":
Which still requires to enter an entry in the ssh_config
file.
> See: http://bugzilla.mindrot.org/show_bug.cgi?id=910
I had a glance on this and also on bug 393.
It's an awful and silly discussion.
HostKeyAlias is not a solution, it is just a workaround for
an unfixed bug. For some reasons, which none of them does convince me,
some people seem to insist on not fixing this bug. Strange.
Reality shows that there are more people out there having more
than one ssh daemon available at a single IP address. This might be
considered as odd, but that's how it is since the world started to use
RFC1918 address ranges and IP connections with limited address space.
On the other hand, ssh was designed at a time before RFC1918 was
issued. Insisting on the old one host - one ip address - one ssh key
model is a bit like my grandfather who never accepted the way
cars were designed after the 1950s.
It's time for ssh to reach the NAT and Port-forwarding age.
And by the way: A reverse lookup (unknown IP but host key found in the
list) wouldn't be that bad for dynamically assigned IP addresses (e.g.
ppp, dhcp).
regards
Hadmut
More information about the openssh-unix-dev
mailing list