hosts with gateway for hostkey checking? (was: Re: Host names hashing)
Brian Candler
b.candler at pobox.com
Fri Jan 7 00:26:35 AEDT 2022
On 06/01/2022 12:54, mark dominik bürkle wrote:
> besides from accessing "same" ips in a vlan env i see two more possibilities that might be in widespread use:
> - vlan env
> - administering home office (or friends') pcs
> - customers accessed via (multiple) vpn
>
> most of these will have different gateway ips. (or just different interfaces?)
> so, for these users, finding the gw (eg via "ip route get <target>" as shell cmd) and combining this with the hostname/ip for the known_hosts lookup might be helpful.
> with an option like
> KnownHostsUseGw <host_list>
> the known_host_entry might then be extended like
> <known_host_entry> ":via_" <gw>
> or
> <known_host_entry> ":via_" <device>
You haven't explicitly said what problem you're trying to solve. Is it
that two different networks you use both have a host 192.168.1.123, and
these are colliding in known_hosts? I don't really see how the gateway
comes into this; you could have two different 192.168.1.0/24 networks
both with gateway 192.168.1.1, and you may be connected directly to the LAN.
There are several solutions to this, but in any case you should be
accessing each target with a distinct name (because "ssh 192.168.1.123"
can't tell the difference between the two 192.168.1.123 hosts).
If you have names that resolve in /etc/hosts or DNS under a shared
domain, you could do this in ~/.ssh/config:
Host *.myfriend.local
UserKnownHostsFile ~/.ssh/known_hosts_myfriend ~/.ssh/known_hosts
Or you can make explicit entries for individual hosts (which is useful
to give them shortcut names anyway):
# My friend's machines
Host foo
Hostname 192.168.1.123
UserKnownHostsFile ~/.ssh/known_hosts_myfriend
Host bar
Hostname 192.168.1.124
UserKnownHostsFile ~/.ssh/known_hosts_myfriend
# Work machines
Host qux
Hostname 192.168.1.123
UserKnownHostsFile ~/.ssh/known_hosts_work
Recent versions of ssh also support "KnownHostsCommand" which can
implement more sophisticated logic of your choosing, for retrieving the
expected host keys for a given host.
HTH,
Brian.
More information about the openssh-unix-dev
mailing list