It appears somewhat inconsistent to me that parameter HostKey is configurable on the server side but fixed on the client side. On the client, always _PATH_HOST_KEY_FILE, _PATH_HOST_DSA_KEY_FILE, _PATH_HOST_RSA_KEY_FILE are used (in this order), whereas on the server, the paths can be specified by up to three HostKey options as arbitrary names in arbitrary sequence. Similarly, option GlobalKnownHostsFile is configurable for the client only but fixed as _PATH_SSH_SYSTEM_HOSTFILE for the server. (Well, here the meaning is slightly different, thus this may be o.k.)
your mail is missing many details, but i assume you are talking about hostbased authentication. On Wed, Oct 24, 2001 at 10:51:57AM +0200, Hans Werner Strube wrote:> It appears somewhat inconsistent to me that parameter HostKey is configurable > on the server side but fixed on the client side. > On the client, always _PATH_HOST_KEY_FILE, _PATH_HOST_DSA_KEY_FILE, > _PATH_HOST_RSA_KEY_FILE are used (in this order), whereas on the server, > the paths can be specified by up to three HostKey options as arbitrary names > in arbitrary sequence.because the client is setuid root. you don't want to make ssh read every private key on the system. the client _could_ get the hostkey pathnames from sshd_config, but then you have to hardcode another filename. -m
> your mail is missing many details, but i assume you are talking > about hostbased authentication. > > On Wed, Oct 24, 2001 at 10:51:57AM +0200, Hans Werner Strube wrote: > > It appears somewhat inconsistent to me that parameter HostKey is configurable > > on the server side but fixed on the client side. > > On the client, always _PATH_HOST_KEY_FILE, _PATH_HOST_DSA_KEY_FILE, > > _PATH_HOST_RSA_KEY_FILE are used (in this order), whereas on the server, > > the paths can be specified by up to three HostKey options as arbitrary names > > in arbitrary sequence. > > because the client is setuid root. you don't want to make > ssh read every private key on the system. > > the client _could_ get the hostkey pathnames from sshd_config, > but then you have to hardcode another filename.I do not quite understand. I thought that each host would usually have the same host key(s), regardless whether acting as server or client. The default setting for the client is _PATH_HOST_KEY_FILE, _PATH_HOST_DSA_KEY_FILE and _PATH_HOST_RSA_KEY_FILE and for the server _PATH_HOST_KEY_FILE and _PATH_HOST_DSA_KEY_FILE only; but the server's file names can be configured. Why should ssh then "read every private key on the system"? Why do I "have to hardcode another filename"?
> On Wed, Oct 24, 2001 at 04:41:02PM +0200, Hans Werner Strube wrote: > > I do not quite understand. I thought that each host would usually have the > > same host key(s), regardless whether acting as server or client. The default > > setting for the client is _PATH_HOST_KEY_FILE, _PATH_HOST_DSA_KEY_FILE and > > _PATH_HOST_RSA_KEY_FILE and for the server _PATH_HOST_KEY_FILE and > > _PATH_HOST_DSA_KEY_FILE only; but the server's file names can be configured. > > Why should ssh then "read every private key on the system"? > > Why do I "have to hardcode another filename"? > > ssh(1) needs _PATH_HOST_RSA_KEY_FILE for hostbased authentication. > > if we add HostKey to .ssh/config a user can do this: > > % cat > .ssh/config << EOF > Host myhost > HostKey /root/.ssh/id_rsa > PreferredAuthentications hostbased > EOF > % ssh myhost > > and sign data using the key of user root.Thank you, now I see your point. But then the configurability of the server hostkey files seems to be rather superfluous, since they are usually the same as for an ssh client on this same machine.
Possibly Parallel Threads
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP
- Non-root hostname auth problem
- Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source
- [Bug 2305] New: sshd does not accept @cert-authority when doing host based authentication.