[Bug 2293] ssh should have an option to automatically trust a local sshd's host key for a given set of names
https://bugzilla.mindrot.org/show_bug.cgi?id=2293 Damien Miller changed: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #3 from Damien Miller --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2293] ssh should have an option to automatically trust a local sshd's host key for a given set of names
https://bugzilla.mindrot.org/show_bug.cgi?id=2293 Damien Miller changed: What|Removed |Added Blocks||2782 Status|NEW |RESOLVED Resolution|--- |FIXED CC||d...@mindrot.org --- Comment #2 from Damien Miller --- I've committed 4f011daa4cad to clean up the NoHostAuthenticationForLocalhost explanation. For hosts other than localhost, you can use "Match host" + UserKnownHostsFile=/dev/null + StrictHostKeyChecking=no Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2293] ssh should have an option to automatically trust a local sshd's host key for a given set of names
https://bugzilla.mindrot.org/show_bug.cgi?id=2293 --- Comment #1 from Christoph Anton Mitterer --- I just saw, that NoHostAuthenticationForLocalhost=yes nearly already does what I've asked for. It even works for other names than "localhost", e.g. "ip6-localhost" or "hostname" "hostname.fqdn", so I guess the check, whether a target is localhost, is based on whether it resolves to 127.0.0.0/8 or ::1 , right? 1) I think it would be nice to have it in the manpage, how it actually determines whether a host is local. 2) The only thing what would be missing from what I've asked for above, is that it would also work for addresses (and names resolving to these) that are bound to local interfaces, e.g. if my eth0 listens to 1.2.3.4, then it is accepted as well. But I'm no longer sure myself, whether this would be so smart and secure. The loopback device is defined to really go to the localhost only, but any other addresses my have black magic functionality (e.g. address rewriting). I've reworked the documentation a bit: https://github.com/openssh/openssh-portable/pull/10 Afterwards I think we can close this issue. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs