https://bugzilla.mindrot.org/show_bug.cgi?id=1039
Iain Morgan <imor...@nas.nasa.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |imor...@nas.nasa.gov --- Comment #13 from Iain Morgan <imor...@nas.nasa.gov> --- My apologies for re-opening a long-closed bug, but this feature seems like a bad idea. The description of HostKeyAlias in ssh_config(5) only refers to using the alias for the purpose of looking up or storing keys. Thus, having it also affect the password prompt is quite unexpected. While the current behaviour addresses one issue, it creates others: In our environment, we use a proxy command to implement load-balancing between a number of front-ends for a cluster. Users ssh to a special hostname, which is not in DNS, to invoke the load-balancer and all of the front-end systems share the same host keys. The ssh_config entry looks something like this: Host balancer HostKeyAlias frontend1 ProxyCommand /usr/local/bin/ssh-balance %h The HostKeyAlias option is needed because there is not an actual host named balancer and no entry for that name in the ssh_known_hosts file. Consequently, the password prompt always indicates frontend1 regardless of what host the user is actually directed to by the proxy command. This is deceptive and has caused some confusion when debugging issues. Perhaps it would be better to use a separate option to allow manipulation of the password prompt. Alternatively, perhaps some logic could be added to limit the circumstances where the key alias rather than the hostname is used in the prompt. A potential fix (for our environment) might be: const char *host = (options.host_key_alias && !options.proxy_command) ? options.host_key_alias : authctxt->host; -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs