openssh unix dev - Aug 2002 - [Bug 80] Host key conflict with two servers on one IP

http://bugzilla.mindrot.org/show_bug.cgi?id=80





------- Additional Comments From eric-ossh at brouhaha.com  2002-08-22 04:57
-------
This "HostKeyAlias" business seems like a flimsy excuse for not
implmeenting a
feature that users want.  In this age of ubiquitous firewalls and NAT, it is NOT
reasonable to assume that two ports on the same IP address refer to the same
host, or to the same SSH server.  Even if you run two SSH daemons on one host,
as Dan Kaminsky suggests, it is NOT necessarily the case that they are under the
same administrative control or have the same security requirements, so it is not
reasonable to assume that they must have the same key.

I fail to see what the harm would be in storing the port number as part of the
known hosts database.  In the rare cases where there were two ports on the same
SSH server that did use the same key, it's not like this would cause the
user
any problems.

Furthermore, it is not clear how to use the HostAlias option in a configuration
file to do the right thing.  It may well be possible, but the documentation does
not explain it adequately.  Suppose I have a machine "firewall", and
port 1234
on its IP address is mapped to port 22 on an internal host "foo".  I
tried
putting the following in the SSH configuration of an external machine:

     Host foo
          HostKeyAlias foo
          HostName firewall
          Port 1234

This basically works, except that it still gives a warning:

  Warning: the RSA host key for 'foo' differs from the key for the IP
address
'xx.xx.xx.xx'
  Offending key for IP in /home/xx/.ssh/known_hosts:xx
  Matching host key in /home/ss/.ssh/known_hosts:xx
  Are you sure you want to continue connecting (yes/no)? 

So my questions are:

1)  What do I need to put in my SSH config so that I can say "ssh foo"
and
    get the right behavior?

2)  Why is it so undesirable to simply implement a reasonable feature that
    users want?  I'd much rather just say "ssh -p 1234 firewall"
and have
    the right thing happen, because I have a lot of hosts behind firewalls,
    and a lot of outside hosts that access them, and I really don't want
    to have to create n*m entries in SSH configurations to deal with it.

Lest you think that I'm begging for someone else to spend time writing code
for me, I'll point out that I'm perfectly happy to write the patch,
provided
that there's a reasonable chance that it will be integrated into the
standard
code base.  I don't want to have to rebuild SSH to add the patch every time
there's an update from the vendor; I would much rather see this feature
become standard, and it's obvious that other users would also.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=80





------- Additional Comments From eric-ossh at brouhaha.com  2002-08-22 05:05
-------
I forgot to mention the other reason why I want the requested feature. 
Sometimes with the firewall/NAT, I map a firewall port (say 1234) to the same
port on an internal machine, and run the sshd on that port.  The reason for this
is that my DNS servers are set up so that inside the firewall/NAT, a DNS lookup
for foo will return its local IP address, but from the outside DNS will return
the address of the firewall.  So it would be nice to be able to say "ssh -p
1234
foo" on my laptop and have the right thing happen, regardless of whether my
laptop is currently attached to the interior network or somewhere on the
internet at large.  For this to work correctly, the knownhosts entry should
contain an entry matching the hostname and the port number.  And if I didn't
want to always type the "-p" option, I could put that in the SSH
configuration,
but I wouldn't need two configuration entries for the same host.






------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=80





------- Additional Comments From markus at openbsd.org  2002-08-22 05:27 -------
you might want to combine HostKeyAlias with CheckHostIP=no



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=80





------- Additional Comments From j.petersen at msh.de  2002-08-22 19:50 -------
I have several ssh-connections forwarded over ssh-Tunnels at various
Ports at localhost,
all alike the following scheme:

Host MYTUNNELHOST
        # ssh -f -L 32xxx:MYTUNNELHOST:22 -N INTERMEDIATEHOST
        Port 32xxx
        HostName localhost
        HostKeyAlias MYTUNNELHOST
        Protocol 1
        ...

-> No conflicting Keys, although all goes over localhost and different
Ports...
   Just one stanza in /etc/ssh/ssh_config and works...
I say:   "ssh MYTUNNELHOST"
but connect is to localhost:32xxx
MYTUNNELHOST doesn't even need to be resolvable to an IP!!!!



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.