Different HostKeys for different hostnames or IPs in the same sshd?..
Darren Tucker
dtucker at zip.com.au
Wed Sep 21 15:49:00 EST 2011
On Wed, Sep 21, 2011 at 1:53 PM, Mikhail T. <mi+thun at aldan.algebra.com> wrote:
[...]
> Yes, running a completely separate sshd-instance is possible. But it means
> replicating the rest of the sshd_config (and ensuring, those remain in
> sync).
You could specify them on the command line using -o to remove the need
to multiple files:
/usr/sbin/sshd -o ListenAddress=1.2.3.4 -o HostKey=/etc/ssh/some_key
> It also means running an extra process for each of the possible roles
> the server might have (if the same host is used as the fallback for
> different primary servers, for example).
That remains true.
> But the real problem is (or could be for some) the IP-address. Years ago a
> separate IP was required for each virtual host on the same web-server --
> until the Host-header became part of the HTTP-spec. Nobody liked such usage
> of IP-addresses, obviously...
Many webservers still have the problem today with SSL. There are some
SSL protocol workarounds (SAN and SNI, the latter being closer to HTTP
Host in spirit).
> Is not there something similar in ssh protocol? Can it, perhaps, be added?
There's not. I guess it might be theoretically possible to shoehorn
it in but I don't see much value in it.
> Alternatively, is there a way to make the client check the remote host key
> against not one, but *several* of the known keys for the same name?
Not the openssh client. I dunno if any other implementations can.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list