Host key verification (known_hosts) with ProxyJump/ProxyCommand [Resolved]
Stuart Longland VK4MSL
me at vk4msl.com
Sat Aug 19 10:35:11 AEST 2023
On 18/8/23 18:28, Darren Tucker wrote:
>> Ahh, in my scanning through the `ssh_config` manpage, I missed this, and
>> change logs seem to indicate this feature has been around since at least
>> 2017, so should not cause compatibility issues with the other users.
> The OpenSSH Release Notes page is a good way to check on this kind of
> thing, it has all release notes in reverse chronological order:
> https://www.openssh.com/releasenotes.html
>
> In this case it shows that HostKeyAlias was added in version 2.5.1 in
> 2001. If you're using a version older than that, the lack of
> HostKeyAliases would be the least of your problems.
Agreed… 2001-era OpenSSH is positively ancient. I have to contend with
hosts that don't support ED25519 (yeah, I had to be "trendy" when I last
set up the YubiKey didn't I?) and some that use ssh-rsa public keys, but
nothing quite that ancient thankfully.
By far using `HostKeyAlias` is the closest to achieving what I'm after.
Downside being the client will "forget" the host keys (because it
doesn't know what IP corresponds to what alias) and have to be told to
accept them again. From that point though, there should be no clashes.
One can set `StrictHostKeyChecking accept-new` for that -- which whilst
far from ideal, in practice it's no worse than blindly typing 'yes' at
each prompt.
I think I'll gather up what host keys I can and dump those in a
reference 'known_hosts' file that people can concatenate to their own
`~/.ssh/known_hosts`, which will solve that other issue. Best I can do
until such time as we can make the hosts key file 'portable' (in terms
of absolute paths).
Regards,
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
More information about the openssh-unix-dev
mailing list