How to specify chost (client hostname) used for hostbased authentication?
Jan Schermer
jan at schermer.cz
Fri Sep 5 23:23:52 AEST 2025
>> ^ if that were completely true, than there wouldn’t be any need for HostbasedUsesNameFromPacketOnly option, though it in fact seem to do something slightly different than what its name implies, at least for me - once disabled, I can’ t login at all, so it’s not supplementing the client’s “chost” but rather not using it/trusting it at all.
>
> If it's not working, that's a separate problem which "-vvvv" on the client and/or server can probably help you with. Most likely the host name the client is sending does not match the host name in the known_hosts file on the server. (Or maybe you've found a bug in a rarely-used code path)
>
> I quoted the "recommended" section in the RFC earlier. The concern is, just *suppose* the private key from host A were stolen: very bad things could happen if the person holding that key could login from anywhere, as any user. Binding the source to IP/DNS information makes it *slightly* harder to abuse. Personally, I think by this stage you're toast anyway.
If used as standalone authentication - yes. But I think it could be made very useful for “network bound authentication”, i.e.
AuthenticationMethods hostbased,publickey (jumphost or a set of workstations+named credentials)
and a fallback of something like AuthenticationMethods publickey,password (backup access with named credentials and a passphrase from a vault)
Also, it’s possible to store Hostkeys in ssh-agent, ssh-agent can use PKCS#11 token and nowadays every machine has a TPM which can be used as PKCS#11 token… (I haven’t tried this yet, I suspect there could be a simpler way, maybe with sk-* type hostkeys?).
Also also, ssh-*-cert-v01 at openssh.com as a hostkeyalgorithm sounds interesting. I wonder how many people actually use those?
I know it’s not exactly in line with buzzwords like Zero-Trust, but could be much simpler to setup, “free” and much better than whatever rube goldberg machine enterprises get sold on (Okta, Cyberark, you name it).
Jan
More information about the openssh-unix-dev
mailing list