openssh unix dev - Mar 2020 - [Feature Request] Add (and check against) IP to known_hosts even when domain is used to connect

Hello,

I spent the whole day searching around and the conclusion of my research 
by now is that what I want to accomplish is currently not possible 
without too much compromises.

A brief summary of my usecase (feature idea below):

What I would like the do is to have many (sub)domains pointing to the 
same server. This *may* be hundreds and they may change so it is not 
practical to add all of them to known_hosts. Also I don't want to use 
the wildcard feature since the dns is not necessarily trusted and the 
domain may be shared between multiple users all having subdomains there.

The reason why I want to do that is because I have many different 
services on different servers. Currently I have to remember or write 
down which service is running on which server. But I would prefer to 
just have a subdomain for every service to connect to the respective server.

The problem is that currently, even if the ip of the server is always 
the same, I have to say "yes" to the question which adds the host to 
known_hosts for *every* of the domains.

This could even lead to a security problem because if you have to do 
this that often then you'll get into the mode "ah, it asks me if the
key
is correct, probably I haven't used this domain before to connect".


So my feature idea would be the following:

Something like a configuration option saying "Always resolve DNS before 
host key checking". Probably the name already tells what it's about. So
with this option enabled openSSH would, before adding the host to 
known_hosts and before checking a host against known_hosts resolve it to 
the ip and then check the ip instead of the domain. So if I'd do

ssh user at example.com

it'd not check if known_hosts contains example.com but instead resolve 
example.com to an ip adress (which it does anyway), say 95.95.95.95 and 
then check this IP against known_hosts (or add it if it's is not in the 
file and the user says yes)

So what do you think? Could this feature help more people than just me? 
Does it maybe introduce some security problems which I did not see yet?

One person which I told about the idea said "but the IP could be 
spoofed". But as far as my understanding goes A) the same problem is 
currently present the other way around if the dns gets spoofed and B) 
the identity of the server should still be verified by it's private key.

Just in case this feature does exist against all my research: I'm sorry. 
I really spent hours to prepare before disturbing you

Thank you in advance for your time and thank you for your great work!

Kind regards

Joshua

Joshua Dietz wrote:
> What I would like the do is to have many (sub)domains pointing to the same
> server. This *may* be hundreds and they may change so it is not practical
to
> add all of them to known_hosts. Also I don't want to use the wildcard
> feature since the dns is not necessarily trusted and the domain may be
> shared between multiple users all having subdomains there.
Are you aware of HostKeyAlias?  I know you say you "don't want to use
the wildcard feature" but it isn't clear to me where you were thinking
of those wildcards.  This might be a case acceptable to you.

     HostKeyAlias
             Specifies an alias that should be used instead of the real host
             name when looking up or saving the host key in the host key
             database files and when validating host certificates.  This
             option is useful for tunneling SSH connections or for multiple
             servers running on a single host.

This is useful when one accesses a host by a different name but want
to store in known_hosts the canonical name.
> The reason why I want to do that is because I have many different services
> on different servers. Currently I have to remember or write down which
> service is running on which server. But I would prefer to just have a
> subdomain for every service to connect to the respective server.
An example name or two to help us understand the type of naming you
are using would help make this more concrete.  I can guess something
like ldap.example.net and sql.example.net and things like that but
experience tells me that my guesses will be far different than yours.
> The problem is that currently, even if the ip of the server is always the
> same, I have to say "yes" to the question which adds the host to
known_hosts
> for *every* of the domains.
>
> This could even lead to a security problem because if you have to do this
> that often then you'll get into the mode "ah, it asks me if the
key is
> correct, probably I haven't used this domain before to connect".
Regardless of other things, for a set of servers I recommend using
ssh-keyscan to pre-populate the known_hosts file.  That way one is not
habituating oneself into accepting host keys all of the time.  Having
a known known_hosts file means that accepting a new host key is an
unusual event and not an every time event.

Therefore I suggest that you scan all of your possible dns names to
create a pre-populated known_hosts file.  Update it when your server
collective changes.  Give it the review it deserves at that time.
Then seamlessly use ssh the rest of the time.
> So my feature idea would be the following:
As to your feature request I have no opinion.  It did not seem
completely unreasonable to me on first reading. :-)  I will leave
comment about the feature to others.

Bob