[Bug 2673] Multiple ssh keys for a given server
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 30 21:42:49 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2673
--- Comment #3 from George Shuklin <george.shuklin at gmail.com> ---
(In reply to Darren Tucker from comment #1)
> (In reply to George Shuklin from comment #0)
> [...]
> > 1) server booting from golden image. Golden image has 'build-in'
> > host ssh key which is changed after system configuration management
> > application set up proper ssh key for server.
>
> The down side is that anyone with access to the golden image could
> MITM connections.
Yes, there is a risk, but it's less than 'use -R every time'. Adding
additional keys is not default configuration, so unexpected users
wouldn't be affected.
> > Proposition: permit multiple host keys for a given server name
> > and/or IP address.
>
> Anyway, that's already possible but for different host key types.
> You could set HostKeyAlgorithms=ssh-rsa for one host and
> HostKeyAlgorithms=ssh-ed25519 on the other.
>
> I think having multiple keys of the same type valid for one host is
> a risk, though.
Is any reason why to have two different keys with different algo is OK,
but to have two different keys with same algo is not OK?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list