[Feature Request] Add (and check against) IP to known_hosts even when domain is used to connect

Bob Proulx bob at proulx.com
Mon Mar 23 04:57:01 AEDT 2020

Joshua Dietz wrote:
> What I would like the do is to have many (sub)domains pointing to the same
> server. This *may* be hundreds and they may change so it is not practical to
> add all of them to known_hosts. Also I don't want to use the wildcard
> feature since the dns is not necessarily trusted and the domain may be
> shared between multiple users all having subdomains there.

Are you aware of HostKeyAlias?  I know you say you "don't want to use
the wildcard feature" but it isn't clear to me where you were thinking
of those wildcards.  This might be a case acceptable to you.

             Specifies an alias that should be used instead of the real host
             name when looking up or saving the host key in the host key
             database files and when validating host certificates.  This
             option is useful for tunneling SSH connections or for multiple
             servers running on a single host.

This is useful when one accesses a host by a different name but want
to store in known_hosts the canonical name.

> The reason why I want to do that is because I have many different services
> on different servers. Currently I have to remember or write down which
> service is running on which server. But I would prefer to just have a
> subdomain for every service to connect to the respective server.

An example name or two to help us understand the type of naming you
are using would help make this more concrete.  I can guess something
like ldap.example.net and sql.example.net and things like that but
experience tells me that my guesses will be far different than yours.

> The problem is that currently, even if the ip of the server is always the
> same, I have to say "yes" to the question which adds the host to known_hosts
> for *every* of the domains.
> This could even lead to a security problem because if you have to do this
> that often then you'll get into the mode "ah, it asks me if the key is
> correct, probably I haven't used this domain before to connect".

Regardless of other things, for a set of servers I recommend using
ssh-keyscan to pre-populate the known_hosts file.  That way one is not
habituating oneself into accepting host keys all of the time.  Having
a known known_hosts file means that accepting a new host key is an
unusual event and not an every time event.

Therefore I suggest that you scan all of your possible dns names to
create a pre-populated known_hosts file.  Update it when your server
collective changes.  Give it the review it deserves at that time.
Then seamlessly use ssh the rest of the time.

> So my feature idea would be the following:

As to your feature request I have no opinion.  It did not seem
completely unreasonable to me on first reading. :-)  I will leave
comment about the feature to others.


More information about the openssh-unix-dev mailing list