Different HostKeys for different hostnames or IPs in the same sshd?..

Ben Lindstrom mouring at offwriting.org
Wed Sep 21 23:41:33 EST 2011


Wouldn't this be a case for using the CAs functionality and signing the host keys?  They may be different but at least they are signed as trusted so there should be less grief that they have been tampered with.

And we have basic CA functionality in OpenSSH right now.

- Ben

On Sep 21, 2011, at 1:09 AM, Mikhail T. wrote:

> On 21.09.2011 01:49, Darren Tucker wrote:
>>> >  Is not there something similar in ssh protocol? Can it, perhaps, be added?
>> There's not.  I guess it might be theoretically possible to shoehorn
>> it in but I don't see much value in it.
> 
> I thought, I began this thread with a use-case for this feature... It is hardly an exotic situation and allowing to solve the problem "properly" would be most valuable.
> 
>> >  Alternatively, is there a way to make the client check the remote host key
>> >  against not one, but*several*  of the known keys for the same name?
>> Not the openssh client.  I dunno if any other implementations can.
> 
> Can't the client be altered to do this? Yours,
> 
>   -mi
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list