From owner-freebsd-security Sun Nov 21 22: 3: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4B29E14C1A for ; Sun, 21 Nov 1999 22:02:54 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id BAA27409; Mon, 22 Nov 1999 01:02:31 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Mon, 22 Nov 1999 01:02:31 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Dug Song Cc: Tomaz Borstnar , freebsd-security@freebsd.org Subject: Re: OpenSSH & AllowHosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 21 Nov 1999, Dug Song wrote: > > I know it can be done via packet filtering, but 100% compatibility > > with usual ssh would be nice. Anyone knows if this will be added? > > OpenSSH intentionally deviates from the original SSH in many ways - see > > http://violet.ibs.com.au/openssh/files/UPGRADING > I've noticed that OpenSSH also seems to handle hostnames in ssh_known_hosts differently--I have a fairly extensive ssh_known_hosts file distributed across my machines to account for all the hosts I regularly connect to. I found that the new OpenSSH ignores the hostname-based entries and adds new IP-based entries automatically, with minimal warning. Is it doing all lookups based on IP and adding the key as a new host key, or is it copying the old entry to a new entry with new name? The first would seem to be fairly insecure (as the warning is not very loud and doesn't request confirmation); the second is not documented in the UPGRADING file and a little alarming :-). Any clarification here would be much appreciated--if it is absorbing new host keys without asking for confirmation, even though host keys are already present with a by-name lookup, I'm not sure I like the behavior--names are more likely to remain consistent in the world of NATs, dynamic IPs with DNS update, etc. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message