Why hostkeys-00 at openssh.com is following user authentication?

Damien Miller djm at mindrot.org
Thu Dec 24 08:30:44 AEDT 2015


On Wed, 23 Dec 2015, Alon Bar-Lev wrote:

> Hello,
> 
> This hostkeys extension is great, reading[1]:
> """
> OpenSSH supports a protocol extension allowing a server to inform a
> client of all its protocol v.2 host keys after user-authentication has
> completed.
> """
> 
> I wonder, why should user authentication be completed before this
> functionality is available? This means that ssh-keyscan tool (for
> example) cannot take advantage of the functionality.

It's done this way because the only extensible messages in the protocol
are channel and global requests, which are only valid after the
"ssh-connection" (channels) service has been requested. This only happens
after userauth.

It would be better to do it after key exchange and before user
authentication, but it would also be less compatible with other
implementations.

-d


More information about the openssh-unix-dev mailing list