From owner-freebsd-security  Tue May  1 17:33: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74])
	by hub.freebsd.org (Postfix) with ESMTP id 99A2537B423
	for <security@FreeBSD.ORG>; Tue,  1 May 2001 17:33:01 -0700 (PDT)
	(envelope-from dhagan@colltech.com)
Received: from colltech.com (1Cust216.tnt1.clarksburg.wv.da.uu.net [63.21.114.216])
	by falcon.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id RAA00779;
	Tue, 1 May 2001 17:32:56 -0700 (PDT)
Message-ID: <3AEF5699.9CE7939A@colltech.com>
Date: Tue, 01 May 2001 20:36:41 -0400
From: Daniel Hagan <dhagan@colltech.com>
X-Mailer: Mozilla 4.73 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: oldfart@gtonet.net
Cc: "security@FreeBSD. ORG" <security@FreeBSD.ORG>
Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default 
 ports
References: <BIEHKEFNHFMMJEKCDMLNMEEICIAA.oldfart@gtonet.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Double encryption is only a big problem when done using the same cipher
system (as I recall).  I suspect using different ciphers, as the
original author indicated, would be fine.  

As far as the original question: Try setting StrictHostKeyChecking to
'yes' either in your configuration file or on the command line (with -o
...).  You'll have to manually update the known_hosts file when you
change tunnels (or run ssh w/o the SHKC directive).  I suspect you could
manually change the IP's in the known_hosts file to other 127.x.x.x ones
as long as you remembered which IP went to which tunnel.  See ssh(1)
manpage for more info.

I haven't tested this, so YMMV.

Daniel

Charles Ulysses Farley wrote:
> 
> It *may* be less secure to ssh through a ssh tunnel but it is sometimes
> necessary if the machine on the other end of the tunnel has telnet closed
> and only allows ssh.
> 
> Charles
> 
> > -----Original Message-----
> > From: owner-freebsd-security@FreeBSD.ORG
> > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mipam
> > 
> > Some ppl think that using encryption to encrypt allrdy encrypted data
> > is dubble secure. This is in general certainly not true.
> > Instead, sometimes it becomes only easier to crack it.
> > So i wouldnt advice to use ssh in a ssh tunnel to aviod possible
> > problems like that.
> > Bye,
> >
> > Mipam.

-- 
Consultant, Collective Technologies      http://www.collectivetech.com/
Use PGP for confidential e-mail.  http://www.pgp.com/products/freeware/
Key Id: 0xD44F15B1   3FA0 D899 4530 702F 72B0  5A17 C2A5 2C2B D22F 15B1

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message