Host key verification (known_hosts) with ProxyJump/ProxyCommand [Resolved]

Stuart Longland VK4MSL me at vk4msl.com
Sat Aug 19 10:35:11 AEST 2023


On 18/8/23 18:28, Darren Tucker wrote:
>> Ahh, in my scanning through the `ssh_config` manpage, I missed this, and
>> change logs seem to indicate this feature has been around since at least
>> 2017, so should not cause compatibility issues with the other users.
> The OpenSSH Release Notes page is a good way to check on this kind of
> thing, it has all release notes in reverse chronological order:
> https://www.openssh.com/releasenotes.html
> 
> In this case it shows that HostKeyAlias was added in version 2.5.1 in
> 2001.  If you're using a version older than that, the lack of
> HostKeyAliases would be the least of your problems.

Agreed… 2001-era OpenSSH is positively ancient.  I have to contend with 
hosts that don't support ED25519 (yeah, I had to be "trendy" when I last 
set up the YubiKey didn't I?) and some that use ssh-rsa public keys, but 
nothing quite that ancient thankfully.

By far using `HostKeyAlias` is the closest to achieving what I'm after. 
Downside being the client will "forget" the host keys (because it 
doesn't know what IP corresponds to what alias) and have to be told to 
accept them again.  From that point though, there should be no clashes.

One can set `StrictHostKeyChecking accept-new` for that -- which whilst 
far from ideal, in practice it's no worse than blindly typing 'yes' at 
each prompt.

I think I'll gather up what host keys I can and dump those in a 
reference 'known_hosts' file that people can concatenate to their own 
`~/.ssh/known_hosts`, which will solve that other issue.  Best I can do 
until such time as we can make the hosts key file 'portable' (in terms 
of absolute paths).

Regards,
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
   ...it's backed up on a tape somewhere.



More information about the openssh-unix-dev mailing list