Host authenticity check [LWN.net]

Host authenticity check

Posted Feb 18, 2007 14:29 UTC (Sun) by juriise (subscriber, #38305)
In reply to: Host authenticity check by k8to
Parent article: Set up remote access in UNIX through OpenSSH (developerWorks)

>Referring to the same computer by different names results in a different
>but similar warning. Worse, when one of the names is really a service
>name, and ssh seems to have (perhaps cannot have) any provision for
>recognizing this, resulting in a series of warnings in different
>scenarios.

These two servers are acccessed through the same ip using destination nat. With the HostKeyAlias, ssh cheks the host key without beeing confused.

host egg
  hostname www.xxx.net
  User riise
  HostKeyAlias egg-axx
  CheckHostIp no
host morr
  hostname www.xxx.net
  User riise
  port 10022
  HostKeyAlias morr-axx
  CheckHostIp no

(Log in to post comments)

Port numbers in known_hosts

Posted Feb 19, 2007 8:46 UTC (Mon) by dtucker (subscriber, #6575) [Link]

Starting in 4.4, OpenSSH will also record the port number against the host key when you use a non-standard port so you don't actually need the hostkeyalias. When this happens you will see entries like this in your known_hosts file:

[1.2.3.4]:222 ssh-rsa AA...

It doesn't happen if you set HostKeyAlias and it transparently falls back to the non-port-specific one if need be, so most folks probably haven't noticed.