openssh unix dev - Aug 2000 - openssh 2.1.1p4-1: port number data in known_hosts: suggestion

Before I went to the trouble of implementing this feature and sending
in a patch, I want to see what the general reaction would be...

I allow ssh through my firewall under certain circumstances.  My
firewall is a Linux box running ipchains, but it could just as easily
be any firewall that can forward external ports to internal ports.  My
internal network uses non-published addresses, so I forward specific
ports on my firewall to specific internal hosts when appropriate.  For
example, port 221 on the firewall forwards to port 22 on one of our
internal servers so that I can ssh to the internal server from
outside.

This means that, from the client's perspective, my firewall may appear
to be running multiple instances of ssh on different ports each of
which has a different host key.  At present, I see no way of dealing
with this cleanly with openssh since no port information is stored in
the known_hosts file.

My proposal would be to extend the syntax of the known_hosts file in a
backward-compatible way so that additional attributes could be
stored.  For example, if the second word starts with :, then from
there up to the next space or tab would be an attribute
specification.  We could have a port attribute that would cause a
match to occur only when connecting to the specified host on the
specified port.  If the port attribute were not present, the present
behavior of ignoring the port would be retained.

For example, if I had the following entry in my known_hosts file:

some.host.com,123.321.123.321 :port=221 1024 35 48524.....

then this line would match only when I attempted to connect to
some.host.com on port 221.  I could then have the firewall forward
various ports to various internal hosts with different host keys
without a problem.

I think this would be pretty easy to implement since check_host_key in
sshconnect.c seems to be a common interface and since this routine
already has the sockaddr for the remote connection.

Do people think this is an idea worth implementing?  Does someone know
of some other way to achieve my desired functionality under the
existing implementation?  I know I could do this using ProxyCommand by
having some program that copies stdin <-> host/port, but that
unfortunately requires the extra overhead of an external program
passing all the data in both directions...

In my opinion, you really need a host/port pair to specify the
destination, so anything like this should provide a way to specify the
port as well as the hostname/IP address....

--
E. Jay Berkenbilt (ejb at ql.org)  |  http://www.ql.org/q/

>   Do people think this is an idea worth implementing?  Does someone know
>   of some other way to achieve my desired functionality under the
>   existing implementation?  I know I could do this using ProxyCommand by
>   having some program that copies stdin <-> host/port, but that
>   unfortunately requires the extra overhead of an external program
>   passing all the data in both directions...
To answer my own question, I figured out a way to achieve my
goal....  I added (lines like) the following to /etc/ssh/ssh_config or
~/.ssh/config on hosts outside the firewall

Host inside1
HostName name.of.my.firewall
Port 221
UserKnownHostsFile ~/.ssh/inside1

Host inside2
HostName name.of.my.firewall
Port 222
UserKnownHostsFile ~/.ssh/inside2


Then ssh inside1 and ssh inside2 use different known_hosts files and I
don't have a problem.  I can also not put those lines on the machines
inside the firewall so I can use identical configurations
everywhere.....

I still think my suggested fix is a reasonable idea, but my incentive
to implement it has mostly disappeared. :-)

--
E. Jay Berkenbilt (ejb at ql.org)  |  http://www.ql.org/q/