About multiple hosts with same hostname
Christian Iversen
chrivers at iversen-net.dk
Wed Apr 1 07:57:57 EST 2009
Flavien wrote:
> Hi,
>
>
>
> Christian Iversen wrote:
>> However, when we go to our customers' sites, we often issue commands
>> like "ssh user at fw0", which of course gives out endless warnings about
>> MITM attacks, and essentially makes host keys worthless on the internal
>> customer networks.
>>
>> It seems somewhat wrong to me. Isn't there some way to make OpenSSH save
>> the host key using the FQDN instead of just the local part?
>
>
> What about a trick like :
> $ tail -2 .ssh/config
> Host fw0
> Hostname fw0.client3.toto.org#CLIENTDOMAIN
> $ switch-ssh client2.org
> $ tail -2 .ssh/config
> Host fw0
> Hostname fw0.client2.org#CLIENTDOMAIN
>
> "switch-ssh" can be a script or even an alias in your shell, that
> does :
> sed -i \
> "s/^Hostname *\([^.]*\).*#CLIENTDOMAIN/Hostname \1.$1#CLIENTDOMAIN/" \
> .ssh/config
Hmm, that does seem like quite the hack. I think a better solution would
be to use "ssh -o UserKnownHostsFile=~/.ssh/customers/SITE" to provide a
specific hosts file for the customer.
An even better solution, now that I think of it, could be to define a
shell function named "ssh" that resolves the host part into a FQDN,
based on the search domain for the host, checked against a whitelist of
valid customer site named.
That way, only FQDNs would ever be stored. These are unique by
definition, so that should solve it pretty cleanly.
Does anyone have any comments about this idea?
--
Med venlig hilsen
Christian Iversen
More information about the openssh-unix-dev
mailing list