[rescue] SSH through firewall
John Duksta
rescue at sunhelp.org
Thu Dec 13 06:47:01 CST 2001
At 11:19 AM 12/12/2001 -0600, Scott Newell wrote:
> >~ Is there a better way? Any ssh clients that allow multiple
> >~ host keys for a host?
> >~
> >
> >I'm no expert, but wouldn't that weaken SSH? The host key is God.
>
>Would it? Instead of always assuming that host secure.net has key #1,
>you'd still check to be sure that:
> host secure.net on port 22 has key #1
> host secure.net on port 1022 has key #2
> host secure.net on port 2022 has key #3
> host secure.net on port 3022 has key #4
>
>Multiple keys per hosts, but each key is associated with that host _and_
>port number. Or does these scheme leave a big hole for a man in the middle
>attack?
But if you look at your ~/.ssh/known_hosts file, you'll notice
that the ssh client does not record what port the sshd for a given
host was listening on. Thus, if you had multiple host keys for
a given host, you would end up having to ack a host key change
everytime you connected to a different port. This would definately
defeat the purpose of the host key.
-john
More information about the rescue
mailing list