bugzilla-daemon at mindrot.org
2002-Sep-10 20:11 UTC
[Bug 393] New: 'known_hosts' file should be indexed by IP:PORT, not just IP
http://bugzilla.mindrot.org/show_bug.cgi?id=393
Summary: 'known_hosts' file should be indexed by IP:PORT, not
just IP
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ssh
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: eric at addamark.com
The current logic for using the 'known_hosts' file is broken with
respect to
NAT. The current logic assumes that there is a 1:1 relationship between an IP
Address and a physical host. This is not true. The correct logic would be to
associate each IP:PORT pair with a physical host.
The current logic breaks if the SSH server is behind a NAT device that does
port mapping. For example, 156.32.67.132:22 does not necessarily go to the
same physical host as 156.32.67.132:1022.
The problem one sees as a result of this is that the
'StrictHostChecking'
and 'CheckHostIP' settings in ssh_config will cause 'ssh' to
fail when it
shouldn't. We ran into this today when I mapped a second SSH server through
our firewall on a new port.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP
- [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP
- [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP
- [Bug 1993] New: ssh tries to add keys to ~/.ssh/known_hosts though StrictHostKeyChecking yes is set
- [Bug 1993] ssh tries to add keys to ~/.ssh/known_hosts though StrictHostKeyChecking yes is set
Wisdom of the Ancients
