On 18.08.23 07:39, Darren Tucker wrote:
On Fri, 18 Aug 2023 at 15:25, Stuart Longland VK4MSL <me@xxxxxxxxxx> wrote: [...]The crux of this is that we cannot assume the local IPv4 address is unique, since it's not (and in many cases, not even static).If the IP address is not significant, you can tell ssh to not record them ("CheckHostIP no").
If I understand correctly, you need to *know* the target system's local 172-ish IP to be able to log in. If so, and your DNS admin frowns at setting up 16 million RRs to cover 172.0.0.0/8 in preparation, sslip.io might be helpful.
https://sslip.io/Otherwise, and assuming a *manageable* (mainly, enumerable) population of remote sites, I wonder whether this approach might work, too?
Host Perth-47 HostName 172.23.45.47 ProxyJump Perth-GW GlobalKnownHostsFile /dev/null UserKnownHostsFile ~/.ssh/known-in-Perth Host Adelaide-11 HostName 172.45.67.11 ProxyJump Adelaide-GW GlobalKnownHostsFile /dev/null UserKnownHostsFile ~/.ssh/known-in-Adelaide(Yes, I realize that with target IPs being *potentially dynamic* per DHCP, having known hostkeys indexed by site *and IP* might still turn out to be bothersome.)
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
