[PATCH] hostfile: list known names (if any) for new hostkeys

Oskari Saarenmaa os at ohmu.fi
Fri Nov 8 08:49:20 EST 2013


On Thu, Nov 07, 2013 at 09:09:50PM +0000, Heberlein, Kurt William wrote:
> Doesn't this play in the same space as StrictHostKeyChecking ?    Doesn't
> it also sort of expose MITM if a known hostkey arrives from a different
> IP/named host?

This is related, but different.  This patch matches hostkeys for new hosts
against hostkeys of already known hosts but doesn't accept or reject them,
it just prints out the matching, already known keys.

I don't think there's much chance for MITM, the only thing this patch does
is listing all previously accepted keys that match the new key presented by
the remote host.  The idea is to make it easier for the user to verify that
the new host (new hostname or ip address) they're connecting to is the same
host they've already accessed previously, if two hosts share the same key
the chances are that the administrator has knowingly installed the same key
on multiple hosts (or they've been compromised, or they're running Debian's
broken OpenSSL).

This patch would've probably exposed the issues in Debian's key generation a
bit sooner as a number of unrelated hosts would've been found to use
identical keys.

> -----Original Message-----
> 27.12.2012 17:15, Oskari Saarenmaa kirjoitti:
> > When connecting to a host for which there's no known hostkey, check if the
> > relevant key has been accepted for other hostnames.  This is useful when
> > connecting to a host with a dymamic IP address or multiple names.
> 
> Ping, anyone had a chance to look at this patch yet?  I've also attached 
> it to bugzilla,
> https://bugzilla.mindrot.org/show_bug.cgi?id=2131

/ Oskari


More information about the openssh-unix-dev mailing list