Different HostKeys for different hostnames or IPs in the same sshd?..
Ondřej Caletka
ondrej.caletka at gmail.com
Sun Sep 25 17:50:51 EST 2011
Dne 21.9.2011 03:44, Damien Miller napsal(a):
> Unless you store keys in DNSSEC, OpenSSH doesn't have a mechanism to allow
> two hosts with the sane name to use different keys.
>
Not true. You can store two different fingerprints under same name in
known_hosts file and SSH client will be satifsied if one of the stored
fingerprints matches the key server offered. The only problem is that
you have to fill in correct fingerprints manually, as SSH client refuses
connecting when there is a record for host you are connecting and no
fingerprint match offered host key.
>From the sshd man page:
> When performing host authentication, authentication is accepted if
> anymatching line has the proper key; either one that matches exactly
> or, if the server has presented a certificate for authentication,
> the key of the certification authority that signed the certificate.
--
Ondrej Caletka
More information about the openssh-unix-dev
mailing list