[Bug 910] known_hosts port numbers

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 21 06:15:21 EST 2004


devin.nate at bridgecomm.net changed:

           What    |Removed                     |Added
 Attachment #717 is|0                           |1
           obsolete|                            |

------- Additional Comments From devin.nate at bridgecomm.net  2004-09-21 06:15 -------
Created an attachment (id=719)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=719&action=view)
Patch to add PortAware to ssh client

Permit ssh client and ssh server to preserve all backwards compat while at the
same time permitting ssh client to be 'port aware'. I believe that both
mechanisms (PortAware and HostKeyAlias) can co-exist. I am not asking to
replace one with the other, I'd sure like both though, and I believe the
following is a way to have both in such a way that backwards compat is
maintained, no features are lost, and the port feature is gained.

1) ssh will use the host documented in HostKeyAlias if there is one. No port
information will be used for key retrieval or key addition. (i.e. ssh client
will work identical as before if there is a HostKeyAlias specified).
2) ssh will use host & port if there is not an explicit HostKeyAlias. Port
information will be appended to the hostname and/or ip address in the format
@port (the mailing lists noted that @ is a better seperator).

1) sshd will use host/ip address only for HostbasedAuth. It will not use any
port information for key retrieval. (i.e. sshd server will work identical as
before, no changes to be made).

1) ssh client becomes 'port aware'.

1) ssh client connections still can use all the features of the HostKeyAlias
functionality, both for key learning and key retrieval. ssh client is identical
when HostKeyAlias information is specified.
2) For non-HostKeyAlias entries, ssh client behavior is identical to before
except that port info is used to save and retrieve known_hosts entries.
3) sshd does not process port information and therefore operates identical to

1) Since ssh client may learn with @port info (i.e. when there is no
HostKeyAlias), and since sshd ignores @port info, users will need to make sure
that keys to be read by sshd for HostbasedAuthentication appear without the
@port information. Since current info is stored without @port info, full
backward compat is maintained for people already doing this. Only newly added
hosts need to be verified.

1) Since there is some controversy, perhaps a ssh option for ssh_config or from
the command line exists to enable the port-aware behavior. ssh_config example:
PortAware [ yes | no ] (default to no to maintain backwards compat).

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list