Re: Host key verification (known_hosts) with ProxyJump/ProxyCommand

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 18.08.23 07:39, Darren Tucker wrote:
On Fri, 18 Aug 2023 at 15:25, Stuart Longland VK4MSL <me@xxxxxxxxxx> wrote:
The crux of this is that we cannot assume the local IPv4 address is
unique, since it's not (and in many cases, not even static).

If the IP address is not significant, you can tell ssh to not record
them ("CheckHostIP no").

If I understand correctly, you need to *know* the target system's local 172-ish IP to be able to log in. If so, and your DNS admin frowns at setting up 16 million RRs to cover in preparation, might be helpful.

Otherwise, and assuming a *manageable* (mainly, enumerable) population of remote sites, I wonder whether this approach might work, too?

Host	Perth-47
	ProxyJump		Perth-GW
	GlobalKnownHostsFile	/dev/null
	UserKnownHostsFile	~/.ssh/known-in-Perth
Host	Adelaide-11
	ProxyJump		Adelaide-GW
	GlobalKnownHostsFile	/dev/null
	UserKnownHostsFile	~/.ssh/known-in-Adelaide

(Yes, I realize that with target IPs being *potentially dynamic* per DHCP, having known hostkeys indexed by site *and IP* might still turn out to be bothersome.)

Kind regards,
Jochen Bern

Binect GmbH

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux