LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-28-2016, 12:31 AM   #1
aristosv
Member
 
Registered: Dec 2014
Posts: 203

Rep: Reputation: 3
known_hosts, same hostname, different ip address


When a client connects to a server using SSH and authentication keys, the "authorized_keys" file is used to authenticate the user and the "known_hosts" file is used to authenticate the server.

In my scenario, the server will always have the same hostname, but there's a chance that its IP Address will change. So the IP Address won't match the IP Address of the "known_hosts" file on the client.

My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?

The OS is Debian 8, on client and server.
 
Old 09-28-2016, 03:26 AM   #2
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665

Rep: Reputation: Disabled
well it wont be on the known hosts so it will ask for confirmation.
 
Old 09-28-2016, 11:24 AM   #3
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,222
Blog Entries: 13

Rep: Reputation: 4276Reputation: 4276Reputation: 4276Reputation: 4276Reputation: 4276Reputation: 4276Reputation: 4276Reputation: 4276Reputation: 4276Reputation: 4276Reputation: 4276
Quote:
Originally Posted by aristosv View Post
My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?
One thing to do is to read the manual page on ssh. It discusses how hosts are identified and authenticated. It actually implies that the ssh key is one of the main validation points and thus IP spoofing or simple IP address changes are something that it understands and recognizes. In the event of IP address spoofing, the key will not exist at the spoofing side so the session will fail. For IP address changes, the key will exist on both sides so authentication should still pass.

So I'm not sure it will ask if the host is trusted since they already do have a key. known_hosts is not a file containing hostname and address, both of those are not found in that file and instead ssh keys are found in that file.
 
Old 09-28-2016, 02:13 PM   #4
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,517

Rep: Reputation: 2070Reputation: 2070Reputation: 2070Reputation: 2070Reputation: 2070Reputation: 2070Reputation: 2070Reputation: 2070Reputation: 2070Reputation: 2070Reputation: 2070
Quote:
Originally Posted by aristosv View Post
My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?
It shouldn't be a problem. I have a laptop that gets a different IP address on my network depending on whether I'm using a wireless or wired connection. I've never had an issue with the one host key not being accepted.
 
Old 09-28-2016, 03:29 PM   #5
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 9 Stretch
Posts: 2,355
Blog Entries: 8

Rep: Reputation: 387Reputation: 387Reputation: 387Reputation: 387
Quote:
Originally Posted by aristosv View Post
In my scenario, the server will always have the same hostname, but there's a chance that its IP Address will change. So the IP Address won't match the IP Address of the "known_hosts" file on the client.

My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?
It will not ask any questions if the hostname used to connect is the same - in other words, you're connecting with something like "ssh myserver.flibby.org" rather than "ssh 24.25.200.57". It will, however, give a warning that looks something like this if the IP address has changed to something that was never connected to before:

Code:
Warning: Permanently added the ECDSA host key for IP address '24.25.200.57' to the list of known hosts.
It does not require pressing any key or anything to continue past this warning, and if you're the end user you might not even notice the warning. But it's there.

HOWEVER, if this "new" IP address is coincidentally the IP address of a computer which the user has, in the past, connected to, it will likely throw a big warning of a possible man-in-the-middle attack. That is, unless the previous computer had the same public key (i.e. it was the same computer last time).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to get hostname from ip address doughyi8u Linux - Networking 4 11-05-2014 01:42 PM
hostname-------->ip address bruse Linux - Networking 2 04-18-2005 06:08 AM
how to use the hostname instead of ip address? tuxtamer Linux - Newbie 1 04-15-2005 08:29 AM
hostname to IP address bruse Linux - Networking 5 03-30-2005 12:21 AM
From IP address to hostname swmok Linux - Networking 1 08-22-2003 08:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration