Host key verification (known_hosts) with ProxyJump/ProxyCommand
Jochen Bern
Jochen.Bern at binect.de
Fri Aug 18 18:37:04 AEST 2023
On 18.08.23 07:39, Darren Tucker wrote:
> On Fri, 18 Aug 2023 at 15:25, Stuart Longland VK4MSL <me at vk4msl.com> wrote:
> [...]
>> The crux of this is that we cannot assume the local IPv4 address is
>> unique, since it's not (and in many cases, not even static).
>
> If the IP address is not significant, you can tell ssh to not record
> them ("CheckHostIP no").
If I understand correctly, you need to *know* the target system's local
172-ish IP to be able to log in. If so, and your DNS admin frowns at
setting up 16 million RRs to cover 172.0.0.0/8 in preparation, sslip.io
might be helpful.
https://sslip.io/
Otherwise, and assuming a *manageable* (mainly, enumerable) population
of remote sites, I wonder whether this approach might work, too?
Host Perth-47
HostName 172.23.45.47
ProxyJump Perth-GW
GlobalKnownHostsFile /dev/null
UserKnownHostsFile ~/.ssh/known-in-Perth
Host Adelaide-11
HostName 172.45.67.11
ProxyJump Adelaide-GW
GlobalKnownHostsFile /dev/null
UserKnownHostsFile ~/.ssh/known-in-Adelaide
(Yes, I realize that with target IPs being *potentially dynamic* per
DHCP, having known hostkeys indexed by site *and IP* might still turn
out to be bothersome.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230818/2275b97c/attachment-0001.p7s>
More information about the openssh-unix-dev
mailing list