LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-17-2011, 07:12 AM   #1
brianmcgee
Member
 
Registered: Jun 2007
Location: Munich, Germany
Distribution: RHEL, CentOS, Fedora, SLES (...)
Posts: 399

Rep: Reputation: 38
Question Gobal ssh:known_hosts and DNS CNAMEs


Currently I am populating a global ssh_known_hosts file with RSA and DSS host keys.

Code:
short_name, fqdn, 192.168.x.y ssh-dss.........
short_name, fqdn, 192.168.x.y ssh-rsa.........
Some users don't use the fqdn of a server to logon via ssh as the servers also possess CNAMEs according to their function.

So the user has to maintain his or her own known_hosts file which is error prone.

For example if a server becomes obsolete and the CNAME points to a different server, the user gets informed about possible man-in-the-middle attack and host keys change.

If this happens regularily, the user may just ignore this message and the additional protection vanishes.

Is there a way that ssh only uses the ip address to check the hosts key? Ultimatively strict host key checking should be enabled.

The DNS server is a Windows server that does not support storing the host keys. I have no access to the zones and may not transfer them. So I cannot dig out all CNAMEs for a server and use them in the ssh_known_hosts file.

Last edited by brianmcgee; 01-17-2011 at 07:25 AM.
 
Old 01-18-2011, 04:17 AM   #2
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
I think what you face is a feature. When the CNAME points to a different server it should warn the user of course. You want to disable this?

What you can do, is to supply a global ssh_config file, where you map arbitrary names to real hostnames. So at least some of the CNAMEs would be replaced by another (real) hostname by such an entry, and they work more like abbreviations.
 
  


Reply

Tags
dns, host, keys, security, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH host keys are not being read correctly from .ssh/known_hosts. bartonski Linux - Software 3 10-29-2009 05:40 PM
unwanted keys showing up in /root/.ssh/known_hosts zapcojake Linux - Security 1 01-31-2009 04:43 AM
SSH - known_hosts ... Quick editing tools available? corrosivemisery Linux - Networking 1 04-17-2008 06:30 PM
ssh known_hosts question lthaus Linux - Security 1 12-08-2004 10:07 PM
cnames or dns prob? thornton Linux - Networking 3 06-19-2004 06:08 AM


All times are GMT -5. The time now is 06:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration