[Feature Request] Add (and check against) IP to known_hosts even when domain is used to connect

Joshua Dietz jospam at dietz-ulm.de
Sun Mar 22 06:22:06 AEDT 2020


I spent the whole day searching around and the conclusion of my research 
by now is that what I want to accomplish is currently not possible 
without too much compromises.

A brief summary of my usecase (feature idea below):

What I would like the do is to have many (sub)domains pointing to the 
same server. This *may* be hundreds and they may change so it is not 
practical to add all of them to known_hosts. Also I don't want to use 
the wildcard feature since the dns is not necessarily trusted and the 
domain may be shared between multiple users all having subdomains there.

The reason why I want to do that is because I have many different 
services on different servers. Currently I have to remember or write 
down which service is running on which server. But I would prefer to 
just have a subdomain for every service to connect to the respective server.

The problem is that currently, even if the ip of the server is always 
the same, I have to say "yes" to the question which adds the host to 
known_hosts for *every* of the domains.

This could even lead to a security problem because if you have to do 
this that often then you'll get into the mode "ah, it asks me if the key 
is correct, probably I haven't used this domain before to connect".

So my feature idea would be the following:

Something like a configuration option saying "Always resolve DNS before 
host key checking". Probably the name already tells what it's about. So 
with this option enabled openSSH would, before adding the host to 
known_hosts and before checking a host against known_hosts resolve it to 
the ip and then check the ip instead of the domain. So if I'd do

ssh user at example.com

it'd not check if known_hosts contains example.com but instead resolve 
example.com to an ip adress (which it does anyway), say and 
then check this IP against known_hosts (or add it if it's is not in the 
file and the user says yes)

So what do you think? Could this feature help more people than just me? 
Does it maybe introduce some security problems which I did not see yet?

One person which I told about the idea said "but the IP could be 
spoofed". But as far as my understanding goes A) the same problem is 
currently present the other way around if the dns gets spoofed and B) 
the identity of the server should still be verified by it's private key.

Just in case this feature does exist against all my research: I'm sorry. 
I really spent hours to prepare before disturbing you

Thank you in advance for your time and thank you for your great work!

Kind regards


More information about the openssh-unix-dev mailing list