Chris's Wiki :: blog/sysadmin/SshToGenericHosts Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/SshToGenericHosts?atomcommentsDWiki2009-06-26T14:17:02ZRecent comments in Chris's Wiki :: blog/sysadmin/SshToGenericHosts.From 128.33.22.52 on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:cbf637f16a45353185e6812e395ac3605cab204dFrom 128.33.22.52<div class="wikitext"><p>You write:</p>
<blockquote><p>The simple evil solution to the problem is to give all of the physical
hosts for the generic hostname the same host key. You probably don't
want to do this.</p>
</blockquote>
<p>This is the solution I've usually seen. What's wrong with it?</p>
</div>2009-06-26T14:17:02ZBy Chris Siebenmann on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:7621bcd1462265431e7510504ac51ecdb7ed5616Chris Siebenmann<div class="wikitext"><p>Ssh can't use the fully resolved versions of hostnames for checking
host keys, because the resolution process might be manipulated by an
attacker and thus you might be connecting to something other than what
you think you are. Checking the host key for the literal name that you
typed at least insures that '<code>ssh host</code>' goes to the same place it did
last time.</p>
<p>(The attacker's change would have to be to a machine that you already
have a host key for, but there are still situations where this is
dangerous.)</p>
</div>2009-04-09T04:41:02ZFrom 82.46.76.43 on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:fbf2eec5b6499d10ae774628b8403eb19f155dcfFrom 82.46.76.43<div class="wikitext"><p>On a related, but not quite related note, I really wish Host matching in
~/.ssh/config (and known hosts) used the fully resolved version of the hostname, rather than whatever the user typed (without the domain or search
path).</p>
<p>I guess it's a bit late now as changing it would break a lot of people's
configs, but it would be more flexible. (e.g. if I do 'ssh host', and have two entries in search, currently there's no way to match on the domain that host is in).</p>
</div>2009-04-08T20:42:33ZBy rdump on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:5d6bcb648ad601f37097467f9066d828afc6337erdump<div class="wikitext"><p>When you have a number of nodes in a high availability cluster, and your users will hit a random node while trying to reach the service name, then you probably won't be able to get them all to put in the relevant Host stanza to turn off key checking. Besides, in such situations you probably want key checking and warnings of changes. It makes more sense there to ensure each node has the same host key.</p>
</div>2009-04-08T19:15:07ZFrom 24.99.225.240 on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:a47034601767918b8d988ae0ae2efceb94fa2a51From 24.99.225.240<div class="wikitext"><p>Why not just synchronize the host keys between the machines? We have had to do this in a few cases were hosts were placed behind a load-balancer, and it works like a charm.</p>
<p>- Ryan</p>
</div>2009-04-08T15:19:12ZFrom 64.88.176.254 on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:4f6141f3a3294c0e51ccc4ce580aae3ffd305ce3From 64.88.176.254<div class="wikitext"><p>In the event that you administer those real hosts behind the generic host, you could have them all use the same host key.</p>
</div>2009-04-08T13:43:25ZFrom 76.10.173.95 on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:8a705e597b3b7b177ff9cf1f0a9fb59518626efeFrom 76.10.173.95<div class="wikitext"><p>It's a much worse idea to turn off host key checking for all hosts. If you're worried about other users of the same system, the Host block solution could be confined to ~/.ssh/config</p>
</div>2009-04-08T13:32:59ZFrom 88.171.200.213 on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:8c7922d5d46f11fc511f8f5be551d105e578b28cFrom 88.171.200.213<div class="wikitext"><p>bad idea to change this config option system wide...
why not alias "ssh" to "ssh -o StrictHostKeyChecking=no" in your ~/.bashrc (or equivalent) ?</p>
</div>2009-04-08T08:37:40ZFrom 76.103.56.154 on /blog/sysadmin/SshToGenericHoststag:CSpace:blog/sysadmin/SshToGenericHosts:495bf73b2de906d5b5f8ab1ed8380ea59820e9aeFrom 76.103.56.154<div class="wikitext"><p>so wrong...</p>
</div>2009-04-08T05:34:30Z