All, This may be a simple question, but I can't find the answer... The situation... Clint "C" connects to server "S". On server "S" I can find the client IP (IPv6) address in the SSH_CLIENT environment variable. I also need the client public key. On the client side, the public key ends up added to .ssh/known_hosts but what happens on the server side? I need to retrieve this key to validate the entry of a host name against a table of hosts which have previously contacted me (on possibly other IP addresses) so I can reject requests for names from keys which have changed. I'm trying to deal with some dynamic address problems. I might deal with this through SSL (stunnel) and use certificates instead of SSH, but thought that SSH would save me some app coding and the clients would then already exist (I don't want to have to create and distribute and support a custom client app on all platforms). A GROSS solution would be to "ssh" back to the client and abort the connection after getting the key, but that's a butt-ugly hack that won't work across firewalls and won't work with client-only systems (Windows) and I figure there has got to be some better way. Anyone with some thoughts? Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
On Sun, Jun 02, 2002 at 05:39:47PM -0400, Michael H. Warfield wrote:> On server "S" I can find the client IP (IPv6) address in the > SSH_CLIENT environment variable. I also need the client public key. > On the client side, the public key ends up added to .ssh/known_hosts > but what happens on the server side? I need to retrieve this key > to validate the entry of a host name against a table of hosts which > have previously contacted me (on possibly other IP addresses) so I > can reject requests for names from keys which have changed. I'm > trying to deal with some dynamic address problems.Try to set it up so that you already have the public key and use that for authorization? That way you won't have to worry about addresses. Keys identify hosts, not IP(v*) addresses. And public keys are just that, public. Even if it feels a bit awkward, you're really supposed to distribute your public key as much as possible. If you can't distribute keys in advance I guess you're out of luck, but then the system won't be quite as secure either.. Just some .02.. //Peter