[Bug 1039] Incomplete application of HostKeyAlias in ssh

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Apr 18 08:09:09 EST 2013


Iain Morgan <imorgan at nas.nasa.gov> changed:

           What    |Removed                     |Added
                 CC|                            |imorgan at nas.nasa.gov

--- Comment #13 from Iain Morgan <imorgan at nas.nasa.gov> ---

My apologies for re-opening a long-closed bug, but this feature seems
like a bad idea.

The description of HostKeyAlias in ssh_config(5) only refers to using
the alias for the purpose of looking up or storing keys. Thus, having
also affect the password prompt is quite unexpected.

While the current behaviour addresses one issue, it creates others: In
our environment, we use a proxy command to implement load-balancing
between a number of front-ends for a cluster. Users ssh to a special
hostname, which is not in DNS, to invoke the load-balancer and all of
the front-end systems share the same host keys.

The ssh_config entry looks something like this:

    Host balancer
        HostKeyAlias    frontend1
        ProxyCommand    /usr/local/bin/ssh-balance %h

The HostKeyAlias option is needed because there is not an actual host
named balancer and no entry for that name in the ssh_known_hosts file.

Consequently, the password prompt always indicates frontend1 regardless
of what host the user is actually directed to by the proxy command.
is deceptive and has caused some confusion when debugging issues.

Perhaps it would be better to use a separate option to allow
manipulation of the password prompt. Alternatively, perhaps some logic
could be added to limit the circumstances where the key alias rather
than the hostname is used in the prompt.

A potential fix (for our environment) might be:

    const char *host = (options.host_key_alias &&
        ? options.host_key_alias : authctxt->host;

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list