Brad Alexander wrote:
> Rookie mistake from messing with this too late at night. Apparently it
> only works with fully qualified domain names (therefore working more
> like dig than host):
I wouldn't call that a rookie mistake. It seems like a missing
feature that it doesn't map through to the dns name of the host. That
just seems like it is missing some maturity in this brand new
feature. (I haven't used the feature yet. Thank you for motivating
me to look at it at least a little bit.)
> Not sure how I'm going to work around this. I may just dispense with
> sshfp records for the time being, unless something jumps out at me.
Does mapping short names to long names in the ~/.ssh/config help?
Just an idea. I am thinking something like this:
Host host
Hostname host.example.com
And that type of thing can be done system globally by adding it to the
/etc/ssh/ssh_config file.
The ssh in Squeeze 6 does not have this capability but Wheezy 7 added
the ability to use %h in the Hostname field. So perhaps even
something like this on Wheezy or later.
Host *
Hostname %h.example.com
If a pattern is available such as all machines named abc100, abc101,
abc102, and so forth then doing it like this would avoid other
machines named with a different prefix.
Host abc*
Hostname %h.example.com
Just brainstorming.
I am curious about your use model. Do you have a pool of machines and
are trying to avoid the warnings when used locally? I avoid these on
my network pools by building an /etc/ssh/ssh_known_hosts file. (I
dynamically update it in /var/lib/ssh and symlink it into /etc since I
am updating the file automatically making it quite volatile.) Perhaps
simply using a global ssh_known_hosts file is easier? Probably I am
guessing quite wrong.
Bob
Attachment:
signature.asc
Description: Digital signature