similar to: [Feature Request] Add (and check against) IP to known_hosts even when domain is used to connect

The .ssh/known_hosts table cannot handle reaching different sshd servers behind a NAT router. The machines are selected by having the SSHDs respond to differnt ports. A second request would be to allow known_hosts checking solely on the dns name, wildcarding the IP address. This would be useful to avoid continuously warning the user every time you connect to a machine with a changing IP address

http://bugzilla.mindrot.org/show_bug.cgi?id=910 mindrot at askneil.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mindrot at askneil.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the

On Fri, 18 Aug 2023 at 17:18, Stuart Longland VK4MSL <me at vk4msl.com> wrote: > On 18/8/23 15:39, Darren Tucker wrote: [...] > > I think you just need "HostKeyAlias mytarget" here. > > Ahh, in my scanning through the `ssh_config` manpage, I missed this, and > change logs seem to indicate this feature has been around since at least > 2017, so should not cause

I have had a brief discussion with Damien Miller (below) about storing host port values in the known_hosts file so as to track multiple ssh sessions (with independant keys) that run on a single host but accept connections on different ports. If it were possible to state that a given key for a remote host belonged to that host's ssh session on port 23 and that another key belonged to that

On Tue, 29 Sep 2020 at 23:16, Nico Kadel-Garcia <nkadel at gmail.com> wrote: [...] > I gave up on $HOME/.ssh/known_hosts a *long* time ago, because if > servers are DHCP distributed without static IP addresses they can wind > up overlapping IP addresses with mismatched hostkeys You can set CheckHostIP=no in your config. As long as the names don't change it'll do what you

http://bugzilla.mindrot.org/show_bug.cgi?id=393 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-09-11

I dug through the list archives to see if this had come up before, and I see that a bug <http://bugzilla.mindrot.org/show_bug.cgi?id=393> was submitted and subsequently closed (basically rejected) in 2002. The basic issue, for those of you who don't feel like following the bug URL, is that when one has ssh servers behind a NAT, each of which responds to a different port on the NAT IP,

On 18/8/23 15:39, Darren Tucker wrote: >> Host mytarget >> Hostname 172.16.1.2 >> ProxyJump user2 at bastion2 > I think you just need "HostKeyAlias mytarget" here. Ahh, in my scanning through the `ssh_config` manpage, I missed this, and change logs seem to indicate this feature has been around since at least 2017, so should not cause

http://bugzilla.mindrot.org/show_bug.cgi?id=910 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |foomzilla at fuhm.net ------- Additional Comments From djm at mindrot.org 2005-04-21 18:16 ------- *** Bug 454 has been marked as a

On 09/11/23, Marian Beermann (public at enkore.de) wrote: > ... while OpenSSH does support using a CA in conjunction with hostbased > authentication, it still requires a list of all authorized host names in the > rhosts / shosts file. I'm not familiar with the use of .rhosts/.shosts, but I don't think those are needed at all with a machine or per-user known_hosts file/files

On Fri, 18 Aug 2023 at 15:25, Stuart Longland VK4MSL <me at vk4msl.com> wrote: [...] > The crux of this is that we cannot assume the local IPv4 address is > unique, since it's not (and in many cases, not even static). If the IP address is not significant, you can tell ssh to not record them ("CheckHostIP no"). [...] > Host mytarget > Hostname 172.16.1.2

Hello, Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. For example, I have multiple hosts that all serves as monitoring server, I would like to trust only these hosts, so I enrol a certificate for these using "monitoring" principal, so I can connect only to these. At first I thought we can do Match statement at ssh_config, however, the Match is being

Hi, we're looking to reduce the number of host lists that need to be kept in sync in our system. (There are quite a few of them all over the place) OpenSSH CAs are an obvious solution for not having to keep all host keys in sync in /etc/ssh/known_hosts, however, while OpenSSH does support using a CA in conjunction with hostbased authentication, it still requires a list of all authorized

http://bugzilla.mindrot.org/show_bug.cgi?id=1039 Summary: Incomplete application of HostKeyAlias in ssh Product: Portable OpenSSH Version: 4.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: cdmclain

https://bugzilla.mindrot.org/show_bug.cgi?id=3226 Bug ID: 3226 Summary: Feature request: Prempt fingerprint prompt when connecting to new server Product: Portable OpenSSH Version: 8.4p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component:

http://bugzilla.mindrot.org/show_bug.cgi?id=910 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #954 is|0 |1 obsolete| | Attachment #1052 is|0 |1 obsolete|

http://bugzilla.mindrot.org/show_bug.cgi?id=910 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ildefonso_camargo at yahoo.com ------- Comment #42 from dtucker at zip.com.au 2006-06-20 09:32 ------- *** Bug 1198 has been marked

Get the following error: root at x065:[/data/prj/openbsd/openssh/openssh-7.7p1/openbsd-compat]make ??????? xlc_r -I/opt/include -O2 -qmaxmem=-1 -qarch=pwr5 -q64 -I. -I.. -I../../src/openssh-7.7p1/openbsd-compat -I../../src/openssh-7.7p1/openbsd-compat/.. -I/opt/include -DHAVE_CONFIG_H -c ../../src/openssh-7.7p1/openbsd-compat/strndup.c

Hello. We are currently installing a new firewall, and would like to use a mixture of NAT and port mapping to have a single "gateway" host address which exposes a range of open ports, each of which maps to sshd of a different host in our internal network (e.g. ssh.jesus.cam.ac.uk on port 6789 maps to internal host1 port 22 whereas ssh.jesus.cam.ac.uk on port 6790 maps to internal

I have a small LAN. The entire system is within my view - all the hosts, the switch and the wire. If someone is in a a position to do a "man in the middle" attack, there's no need - they already have me. Over the other side of the room, and beside my desk, I have test systems. I use disk caddies (see www.vipower.com for examples) and can switch operating systems in about the