From owner-freebsd-security  Mon May  7 17:52:33 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailer.progressive-comp.com (docs3.abcrs.com [63.238.77.222])
	by hub.freebsd.org (Postfix) with ESMTP id 6145737B423
	for <freebsd-security@FreeBSD.ORG>; Mon,  7 May 2001 17:52:30 -0700 (PDT)
	(envelope-from docs@mailer.progressive-comp.com)
Received: (from docs@localhost)
	by mailer.progressive-comp.com with id UAA10252; Mon, 7 May 2001 20:51:44 -0400
Date: Mon, 7 May 2001 20:51:44 -0400
Message-Id: <200105080051.UAA10252@mailer.progressive-comp.com>
From: Hank Leininger <freebsd-security@progressive-comp.com>
Reply-To: Hank Leininger <hlein@progressive-comp.com>
To: freebsd-security@FreeBSD.ORG
Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports
X-Shameless-Plug: Check out http://marc.theaimsgroup.com/
X-Warning: This mail posted via a web gateway at marc.theaimsgroup.com
X-Warning: Report any violation of list policy to abuse@progressive-comp.com
X-Posted-By: Hank Leininger <hlein@progressive-comp.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 2001-05-03, Robert Watson <rwatson@FreeBSD.ORG> wrote:

> and was told it was a "feature" -- intended to allow people to "ssh
> localhost" without getting key errors when using NFS mounted home
> directories.

Bleh.  That rationale sounds reasonable, but even if so, IMHO only
127.0.0.1 should be magical this way.  Connecting to other loopback net
addresses (127.213.75.23, etc) should be checked as usual.  Then one could
use alternate loopback addrs for specific tunnels, each of which can have
their own host key.

> really, it would be nice if there was a way to say:

>   ssh -p 5646 -usekeyfor fledge.watson.org localhost

> I.e., connect to localhost:5646, but use the host key associated with
> fledge.watson.org in the keys file.

Would something like setting HostKeyAlias work?

ssh -p 5646 -o HostKeyAlias=fledge.watson.org localhost

(Of course the above is bogus since localhost is magically accepted...)

Then you'd set up ~/.ssh/config entries so that 'ssh fledge' automatically
connected to localhost:5646 (or 127.156.12.50:5646) with the right
HostKeyAlias set.

--
Hank Leininger <hlein@progressive-comp.com>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message