Re: hosts with gateway for hostkey checking? (was: Re: Host names hashing)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 06/01/2022 12:54, mark dominik bürkle wrote:
besides from accessing "same" ips in a vlan env i see two more possibilities that might be in widespread use:
- vlan env
- administering home office (or friends') pcs
- customers accessed via (multiple) vpn

most of these will have different gateway ips. (or just different interfaces?)
so, for these users, finding the gw (eg via "ip route get <target>" as shell cmd) and combining this with the hostname/ip for the known_hosts lookup might be helpful.
with an option like
KnownHostsUseGw <host_list>
the known_host_entry might then be extended like
<known_host_entry> ":via_" <gw>
or
<known_host_entry> ":via_" <device>

You haven't explicitly said what problem you're trying to solve. Is it that two different networks you use both have a host 192.168.1.123, and these are colliding in known_hosts?  I don't really see how the gateway comes into this; you could have two different 192.168.1.0/24 networks both with gateway 192.168.1.1, and you may be connected directly to the LAN.

There are several solutions to this, but in any case you should be accessing each target with a distinct name (because "ssh 192.168.1.123" can't tell the difference between the two 192.168.1.123 hosts).

If you have names that resolve in /etc/hosts or DNS under a shared domain, you could do this in ~/.ssh/config:

Host *.myfriend.local
UserKnownHostsFile ~/.ssh/known_hosts_myfriend ~/.ssh/known_hosts

Or you can make explicit entries for individual hosts (which is useful to give them shortcut names anyway):

# My friend's machines
Host foo
Hostname 192.168.1.123
UserKnownHostsFile ~/.ssh/known_hosts_myfriend

Host bar
Hostname 192.168.1.124
UserKnownHostsFile ~/.ssh/known_hosts_myfriend

# Work machines
Host qux
Hostname 192.168.1.123
UserKnownHostsFile ~/.ssh/known_hosts_work

Recent versions of ssh also support "KnownHostsCommand" which can implement more sophisticated logic of your choosing, for retrieving the expected host keys for a given host.

HTH,

Brian.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux