Date: Mon, 7 May 2001 20:51:44 -0400 From: Hank Leininger <freebsd-security@progressive-comp.com> To: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <200105080051.UAA10252@mailer.progressive-comp.com>
next in thread | raw e-mail | index | archive | help
On 2001-05-03, Robert Watson <rwatson@FreeBSD.ORG> wrote: > and was told it was a "feature" -- intended to allow people to "ssh > localhost" without getting key errors when using NFS mounted home > directories. Bleh. That rationale sounds reasonable, but even if so, IMHO only 127.0.0.1 should be magical this way. Connecting to other loopback net addresses (127.213.75.23, etc) should be checked as usual. Then one could use alternate loopback addrs for specific tunnels, each of which can have their own host key. > really, it would be nice if there was a way to say: > ssh -p 5646 -usekeyfor fledge.watson.org localhost > I.e., connect to localhost:5646, but use the host key associated with > fledge.watson.org in the keys file. Would something like setting HostKeyAlias work? ssh -p 5646 -o HostKeyAlias=fledge.watson.org localhost (Of course the above is bogus since localhost is magically accepted...) Then you'd set up ~/.ssh/config entries so that 'ssh fledge' automatically connected to localhost:5646 (or 127.156.12.50:5646) with the right HostKeyAlias set. -- Hank Leininger <hlein@progressive-comp.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105080051.UAA10252>