openssh unix dev - Jan 2002 - [Bug 80] Host key conflict with two servers on one IP

http://bugzilla.mindrot.org/show_bug.cgi?id=80

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME



------- Additional Comments From djm at mindrot.org  2002-01-26 09:59 -------
You can use the HostKeyAlias option in ~/.ssh/config or /etc/ssh_config to
"rename" hosts to avoid these collisions.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=80

carson at taltos.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
           Priority|P2                          |P3
         Resolution|WORKSFORME                  |



------- Additional Comments From carson at taltos.org  2002-01-26 10:29 -------
Services are provided on an IP:PORT pair basis. Assuming anything else is 
silly. The existance of a workaround for the bug does not imply the non-
existance of the bug itself. OpenSSH should behave correctly in the default 
case, not require users to muck about with their configs. If you wish to 
consider it a low priority bug, fine (I'm dropping it to P3). But a bug it
is.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=80

dan at doxpara.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From dan at doxpara.com  2002-01-26 10:54 -------
HostKeyAlias isn't just *a* solution, it's the right solution.  SSH
connects to
hosts, not to ports -- the port is just some address that may or may not lead 
to a specific desired host, possibly the machine listening on that port, 
possibly somewhere else.

We identify by destination, not by route.

Theory aside, what we want is for a given firewall to be able to remap a port 
on the external interface to an SSHD on the backend, with the client 
authenticating (and independently encrypting) against this forwarded link.

Instead of:

alice$  ssh -p 2022 user at firewall

either conflicting with the firewall's actual ssh key *or* somehow
associating
the key with the firewall itself(or, in the localhost variant involving 
127.0.0.1, just not authenticating at all), HostKeyAlias lets us inform the 
client of its expected cryptographically validated destination:  Bob.

alice$  ssh -o HostKeyAlias="Bob" -p 2022 user at firewall

I do have a better syntax for this that might someday actually work, but there 
is no bug beyond that.  It's as incorrect to see Bob's key associated
with the
firewall as it would be to see it associated with, say, MAE-West. 
Firewall's
just the route -- Bob's who we're looking for.

That being said -- you're generally correct about services mapping to
IP:PORT.
SSH escapes this general purpose simplification, because its services don't 
always remain on the same IP:PORT.  SSL makes a similar judgement, 
authenticating DNS names but not IPs or Ports.  You are you, no matter your 
phone number.  It's much the same for cryptographically verified identity.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=80





------- Additional Comments From djm at mindrot.org  2002-01-26 14:25 -------
A fursther comment: ssh works on port 22, that is what has been reserved by the
IANA. Anything else is a special case.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=80





------- Additional Comments From dan at doxpara.com  2002-01-26 16:53 -------
The IANA number is nice, but I wouldn't call "anything else a special
case".
If it wasn't for the nature of the crypto identity, he'd have a good
argument
that we weren't elegantly supporting multiple servers living on the same
host.

It's a bit strange coming up with an example, but suppose web browsers
didn't
attach the alternate port to relative links.  Sure, you could download the HTML 
page, but any linked images would either have to be absolutely specified or 
would be attempted to be sucked from the server on port 80, the "IANA"
port.
It'd be presumptively incorrect behavior, even if the original page was 
retrieved via HTTP.  Multiple servers on the same host have different content, 
and that's OK.

Keep in mind -- port shifting is pretty much the only way to virtual host HTTP 
over SSL.

SSH is a much different story, though.  "Multiple servers living on the
same
host" represent one of two things:

A) An alternate SSHD running locally, possibly for testing purposes.  The keys 
should match, and as does the desired destination.
B) An alternate SSHD running remotely, probably port forwarded.  The keys ought 
not match, because someone's trying to go elsewhere.

Content is not identity.  Who you are is different than what you say.

Anyway, IANA is a suggestion and a reservation; it excludes other services from 
using SSH's port, but shouldn't be construed to restrict SSH to 22.  
Flexibility is a good thing.

--Dan





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.