Different HostKeys for different hostnames or IPs in the same sshd?..

Mikhail T. mi+thun at aldan.algebra.com
Wed Sep 21 13:53:04 EST 2011


On 20.09.2011 22:20, Darren Tucker wrote:
> If by "IP-address that the incoming connection uses" you mean "address
> that you connect*to*" then you can run two separate sshds with
> distinct configs (setting at least ListenAddress and HostKey to
> different values).
Yes, running a completely separate sshd-instance is possible. But it 
means replicating the rest of the sshd_config (and ensuring, those 
remain in sync). It also means running an extra process for each of the 
possible roles the server might have (if the same host is used as the 
fallback for different primary servers, for example).

But the real problem is (or could be for some) the IP-address. Years ago 
a separate IP was required for each virtual host on the same web-server 
-- until the Host-header became part of the HTTP-spec. Nobody liked such 
usage of IP-addresses, obviously...

Is not there something similar in ssh protocol? Can it, perhaps, be added?

Alternatively, is there a way to make the client check the remote host 
key against not one, but *several* of the known keys for the same name?

Thanks! Yours,

    -mi



More information about the openssh-unix-dev mailing list