[Feature Request] Add (and check against) IP to known_hosts even when domain is used to connect
jospam at dietz-ulm.de
Wed Mar 25 02:23:37 AEDT 2020
Hello Bob and thank you for your reply,
first of all I hope that I'm answering in the right way since I had
enabled the daily digest and I'm not sure if it's the right way to use
Thunderbirds "Reply List" feature on this digest. If it's wrong this way
I apologize. I turned of the daily digest so my next messages should be
> Are you aware of HostKeyAlias?
Yes I read that but as far as I understand the feature is more like
aliasing commands in linux (so i.e if I have a server which I use as
webserver I could create the alias "webserver", configure the hostname,
port etc. and then just use the alias "webserver" instead of typing the
whole line with port etc. OpenSSH will then act as if I typed everything
like it's saved in the alias configuration. So if I understood that
right I don't really see how this helps me with my specific problem.
> Regardless of other things, for a set of servers I recommend using
> ssh-keyscan to pre-populate the known_hosts file.
Yea you're right. Currently my approach is far from perfect (I currently
just rely that everything is correct when first connecting to a newly
> but it isn't clear to me where you were thinking
> of those wildcards.
By wildcards I meant the feature to change the entry in known_hosts to
*.mydomain.com which would match this hostkey to the ssh commands
webserver.example.com, database.example.com etc.
> An example name or two to help us understand the type of naming you
> are using would help make this more concrete.
Sure, here you go (just a made-up example):
Imagine I have two servers, Server A has the ip AA.AA.AA.AA, Server B
has the ip BB.BB.BB.BB
I have to following services running on A:
- Webserver for website 1
- Database for the Website
And the following on B
- Some backend in node
- an gitlab instance
- gitlab database
- Webserver for website 2
Further I have the domain mydomain.com
Now I would create the following dns records:
webserver.mydomain.com A-Record with content AA.AA.AA.AA
mailserver.mydomain.com A-Record with content AA.AA.AA.AA
node-backend.mydomain.com A-Record with content BB.BB.BB.BB
gitlab.mydomain.com A-Record with content BB.BB.BB.BB
If I had to add another service I would install it on one of the servers
and then I would create a respective record and from there on I could
connect to the server running the service by using its respective dns
name (i.e. if I'd like to ssh into the server running the mailserver I'd
just type ssh username at mailserver.mydomain.com
Until now it sounds like something easy to accomplish with the Alias
feature. *But* this has a few disadventages to me:
- It requires a client side configuration which would need to be synced
between multiple clients (i.e. laptop, pc)
- It requires to make a change (and resync to all my devices) this
config when I move a service to another server instead of just changing
the DNS settings which are automatically in sync
- My end-goal goes even further (I left that out in the first mail
because it makes everything sound way more complex but I'll try to
explain it briefly now:)
What I really want to create in the end is something like this:
A service (probably web based). Let's say it has the domain
myservice.net. At the beginning I want to use the service just for me,
later users shall be able to create a subdomain on this service (for
free), i.e. username.myservice.net.
Then they shall be able to add their servers (so it's ipv4 and/or ipv6
ips) like they would add A and AAAA records in every normal DNS service.
The special thing is that they can add a description for every server.
This may be keywords or even a short text summarizing all services
running on the server.
The special thing is a custom designed DNS server (which I already
started to implement since I did not knew that known_hosts does not save
the ip but instead the hostname to check a servers fingerprint).
This DNS server implements a feature that I'd call "search by DNS". I
think I should explain it with the example from above.
So Imagine I created the subdomain joshua.myservice.net on the service
Then I'd add my servers A and B with its respective ip adresses
AA.AA.AA.AA and BB.BB.BB.BB
For server A the description could look like this: "This server runs a
webserver for website 1, a mailserver and the respective database for
And server B's description could look like "This server runs the node
backend, the gitlab instance, the respective database for gitlab and the
webserver for website 2"
Now I want to be able to use all subdomains under joshua.myservice.net
as a search-query which resolves to the respective server as soon as the
search has exactly one result (this is what the custom DNS server
So i.e. I could type ssh username at git-database.joshua.myservice.net
Since only the description of Server B contains the words "git" *and*
"database" this is the only server matching the search term and so it's
resolved to the IP of server B, BB.BB.BB.BB
*But* (and this is why I think wildcards and aliases are not suitable
for this) the same search could also look like this:
database.gitlab.joshua.myservice.net OR gitlab-data.myservice.net and so
So there is an infinit number of hostnames for each server. Also since
many users could use the service and it (or one of the servers) *could*
be hacked I don't want to use a wildcard like *.joshua.myservice.net.
(what I mean by wildcard is explained above) This would open an attack
vector like described here (https://superuser.com/a/1328615/933511)
(under heading "security caveat")
In my opinion a service like this could be really useful (at least for
me) but I don't think that it would be usable if it opens up even a
small attack vector or if it requires more then one small client-side
So as far as I can see the only option to make this useful and keep it
secure would be if there was an option like I described to add (and
check) hostkeys by ip even if a hostname is used to connect.
Sorry for the long message, it's pretty hard for me to explain it in
detail in english
Thank you for your time again
More information about the openssh-unix-dev