bugzilla-daemon at mindrot.org
2002-Sep-10 20:11 UTC
[Bug 393] New: 'known_hosts' file should be indexed by IP:PORT, not just IP
http://bugzilla.mindrot.org/show_bug.cgi?id=393 Summary: 'known_hosts' file should be indexed by IP:PORT, not just IP Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: eric at addamark.com The current logic for using the 'known_hosts' file is broken with respect to NAT. The current logic assumes that there is a 1:1 relationship between an IP Address and a physical host. This is not true. The correct logic would be to associate each IP:PORT pair with a physical host. The current logic breaks if the SSH server is behind a NAT device that does port mapping. For example, 156.32.67.132:22 does not necessarily go to the same physical host as 156.32.67.132:1022. The problem one sees as a result of this is that the 'StrictHostChecking' and 'CheckHostIP' settings in ssh_config will cause 'ssh' to fail when it shouldn't. We ran into this today when I mapped a second SSH server through our firewall on a new port. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Reasonably Related Threads
- [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP
- [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP
- [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP
- [Bug 1993] New: ssh tries to add keys to ~/.ssh/known_hosts though StrictHostKeyChecking yes is set
- [Bug 1993] ssh tries to add keys to ~/.ssh/known_hosts though StrictHostKeyChecking yes is set