From owner-freebsd-security  Sun Nov 21 22: 3: 3 1999
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 4B29E14C1A
	for <freebsd-security@freebsd.org>; Sun, 21 Nov 1999 22:02:54 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id BAA27409;
	Mon, 22 Nov 1999 01:02:31 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Mon, 22 Nov 1999 01:02:31 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Dug Song <dugsong@monkey.org>
Cc: Tomaz Borstnar <tomaz.borstnar@over.net>,
	freebsd-security@freebsd.org
Subject: Re: OpenSSH &  AllowHosts
In-Reply-To: <Pine.BSO.4.10.9911211216430.4499-100000@funky.monkey.org>
Message-ID: <Pine.BSF.3.96.991122005937.27394A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 21 Nov 1999, Dug Song wrote:

> > I know it can be done via packet filtering, but 100% compatibility
> > with usual ssh would be nice. Anyone knows if this will be added?
> 
> OpenSSH intentionally deviates from the original SSH in many ways - see
> 
> 	http://violet.ibs.com.au/openssh/files/UPGRADING
> 

I've noticed that OpenSSH also seems to handle hostnames in
ssh_known_hosts differently--I have a fairly extensive ssh_known_hosts
file distributed across my machines to account for all the hosts I
regularly connect to.  I found that the new OpenSSH ignores the
hostname-based entries and adds new IP-based entries automatically, with
minimal warning.  Is it doing all lookups based on IP and adding the key
as a new host key, or is it copying the old entry to a new entry with new
name?  The first would seem to be fairly insecure (as the warning is not
very loud and doesn't request confirmation); the second is not documented
in the UPGRADING file and a little alarming :-).  Any clarification here
would be much appreciated--if it is absorbing new host keys without
asking for confirmation, even though host keys are already present with a
by-name lookup, I'm not sure I like the behavior--names are more likely to
remain consistent in the world of NATs, dynamic IPs with DNS update, etc.

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message