Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-17-2011, 06:12 AM   #1
Registered: Jun 2007
Location: Munich, Germany
Distribution: RHEL, CentOS, Fedora, SLES (...)
Posts: 399

Rep: Reputation: 39
Question Gobal ssh:known_hosts and DNS CNAMEs

Currently I am populating a global ssh_known_hosts file with RSA and DSS host keys.

short_name, fqdn, 192.168.x.y ssh-dss.........
short_name, fqdn, 192.168.x.y ssh-rsa.........
Some users don't use the fqdn of a server to logon via ssh as the servers also possess CNAMEs according to their function.

So the user has to maintain his or her own known_hosts file which is error prone.

For example if a server becomes obsolete and the CNAME points to a different server, the user gets informed about possible man-in-the-middle attack and host keys change.

If this happens regularily, the user may just ignore this message and the additional protection vanishes.

Is there a way that ssh only uses the ip address to check the hosts key? Ultimatively strict host key checking should be enabled.

The DNS server is a Windows server that does not support storing the host keys. I have no access to the zones and may not transfer them. So I cannot dig out all CNAMEs for a server and use them in the ssh_known_hosts file.

Last edited by brianmcgee; 01-17-2011 at 06:25 AM.
Old 01-18-2011, 03:17 AM   #2
Senior Member
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,328

Rep: Reputation: 254Reputation: 254Reputation: 254
I think what you face is a feature. When the CNAME points to a different server it should warn the user of course. You want to disable this?

What you can do, is to supply a global ssh_config file, where you map arbitrary names to real hostnames. So at least some of the CNAMEs would be replaced by another (real) hostname by such an entry, and they work more like abbreviations.


dns, host, keys, security, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH host keys are not being read correctly from .ssh/known_hosts. bartonski Linux - Software 3 10-29-2009 04:40 PM
unwanted keys showing up in /root/.ssh/known_hosts zapcojake Linux - Security 1 01-31-2009 03:43 AM
SSH - known_hosts ... Quick editing tools available? corrosivemisery Linux - Networking 1 04-17-2008 05:30 PM
ssh known_hosts question lthaus Linux - Security 1 12-08-2004 09:07 PM
cnames or dns prob? thornton Linux - Networking 3 06-19-2004 05:08 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:45 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration