known_hosts

Ben Lindstrom mouring at eviladmin.org
Thu Jun 3 00:03:53 EST 2010


$ man sshd
[..]
SSH_KNOWN_HOSTS FILE FORMAT
     The /etc/ssh_known_hosts and ~/.ssh/known_hosts files contain host public keys for all known hosts.  The global file should be
     prepared by the administrator (optional), and the per-user file is maintained automatically: whenever the user connects from an
     unknown host, its key is added to the per-user file.

     Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment.  The fields are separated by
     spaces.

     Hostnames is a comma-separated list of patterns (`*' and `?' act as wildcards); each pattern in turn is matched against the
     canonical host name (when authenticating a client) or against the user-supplied name (when authenticating a server).  A pattern
     may also be preceded by `!' to indicate negation: if the host name matches a negated pattern, it is not accepted (by that line)
     even if it matched another pattern on the line.  A hostname or address may optionally be enclosed within `[' and `]' brackets
     then followed by `:' and a non-standard port number.


.. This has been in since 2006.  Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=910

- Ben

On Jun 2, 2010, at 7:49 AM, Alex Bligh wrote:

> Is there a good reason why known_hosts stores the address of the server
> but not the port? This is annoying when one host is running more than
> one instance of openssh with different ports and different keys, or
> (less tractably) when a NAT in front of multiple hosts multiplexes
> which host is connected to by port number. I see no immediate security
> implication in fixing this, but am I missing something?
> 
> -- 
> Alex Bligh
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list