About multiple hosts with same hostname

Christian Iversen chrivers at iversen-net.dk
Wed Apr 1 07:57:57 EST 2009


Flavien wrote:
> Hi,
> 
> 
> 
> Christian Iversen wrote:
>> However, when we go to our customers' sites, we often issue commands 
>> like "ssh user at fw0", which of course gives out endless warnings about 
>> MITM attacks, and essentially makes host keys worthless on the internal 
>> customer networks.
>>
>> It seems somewhat wrong to me. Isn't there some way to make OpenSSH save 
>> the host key using the FQDN instead of just the local part?
> 
> 
> What about a trick like :
>     $ tail -2 .ssh/config
>     Host fw0
>     Hostname fw0.client3.toto.org#CLIENTDOMAIN
>     $ switch-ssh client2.org
>     $ tail -2 .ssh/config
>     Host fw0
>     Hostname fw0.client2.org#CLIENTDOMAIN
> 
> "switch-ssh" can be a script or even an alias in your shell, that
> does :
> sed -i \
>     "s/^Hostname *\([^.]*\).*#CLIENTDOMAIN/Hostname \1.$1#CLIENTDOMAIN/" \
>     .ssh/config

Hmm, that does seem like quite the hack. I think a better solution would 
be to use "ssh -o UserKnownHostsFile=~/.ssh/customers/SITE" to provide a 
specific hosts file for the customer.

An even better solution, now that I think of it, could be to define a 
shell function named "ssh" that resolves the host part into a FQDN, 
based on the search domain for the host, checked against a whitelist of 
valid customer site named.

That way, only FQDNs would ever be stored. These are unique by 
definition, so that should solve it pretty cleanly.

Does anyone have any comments about this idea?

-- 
Med venlig hilsen
Christian Iversen


More information about the openssh-unix-dev mailing list