No subject


Thu Nov 2 09:08:48 EST 2006


requiring the user to do anything special.  i.e. when they run "ssh gate -p 22" 
it just works and when they run "ssh gate -p 1022" it just works.  Having to 
tell everyone who will remotely access our system (i.e. employees, contractors, 
customers, etc) that they have to go setup special configurations with special 
options in order to access our network just isn't practical.

The tool is suppose to work for the user, not the other way around.

As for disk space, each line in these files is a little over 200 bytes.  if 
your file system is so tight that you can't put a couple extra KB on your disk, 
you've got bigger problems.

As for the statement that the entries in the known_hosts file are suppose to 
represent "real" ssh servers, that is also not true.  As an IT Manager, I 
explicitly want to control how my network appears to the outside world.  The 
only points of contact (and knowledge) that the outside world has about my 
network are defined through my firewalls.  Everything that the outside world 
knows about my network must be related the defined entry points to my network, 
not the internals of my network.

As for verifying every IP:Port pair, the simple answer is "YES".  Again, since 
every IP:Port pair could map to a completely separate system you actually have 
to verify each IP:Port pair because making the assumption that all ports on a 
particular IP go to a single host is simply wrong.

Tell you what, if I patch up the code and send it to you, will you roll it into 
the next release?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the openssh-unix-dev mailing list