On Fri, 1 Apr 2011, Matthew Dempsky wrote:

> Anyway, I'm interested in knowing what people think of adding this
> feature.  I don't know of any other getaddrinfo(3) implementations
> that support it, but djm@ mentioned that it would be nice to have in
> OpenSSH for host key validation.

To expand on the problem that this solves - consider what happens when
you ssh to an unqualified hostname ("ssh monkeynuts"). Currently, the
host's key is recorded alongside its unqualified name, and if you ever
ssh to the same host using a qualified domain (e.g. because your laptop
received a different one via DHCP) then you will receive a new hostkey
warning and an extra entry in known_hosts.

There are various hacks around this in ssh_config(5) such as explicitly
listing each host and specifying its full hostname using a Hostname
directive, or applying a default domain name to all hosts. Unfortunately
these have annoying corner cases or are a maintenance hassle.

The situation is worse for host certificates, where you don't really want
to sign unqualified host names at all. 

AI_FQDN solves these problems quite nicely. It is also useful for web
browsers that face a similar problem (e.g. https://intranet/) but
getting them to adopt it might be more tricky. I'd love to see this get
deployed so we can use it in OpenSSH (which we can change quickly)

-d

Reply via email to