In the following I'm talking about the OpenSSH Client installed by default on debian.
I'd like to have multiple (sub)domains pointing to my server(s) (so multiple per server), i.e. database.example.com, webserver.example.com etc. I want this because I have multiple servers and sometimes I don't know by heart which service is running on which server. I want to manage this by DNS by having a subdomain for every service and then I can use this subdomain to SSH into the right server without having to remember on which server the service is running.
The problem is: The fingerprint seems to include the domain name. So if database.example.com and webserver.example.com are pointing to the same IP and I used database.example.com and verified the fingerprint (so it's added to known_hosts) then I have to do the verification again if I SSH into the server via webserver.example.com later.
I don't understand why the domain and not the IP adress the domain resolves to is used here. Is there any way to use the IP instead of the domain in the fingerprint? (maybe some configuration option).
And if so can enabling this introduce a security problem?
And why is it even implemented this way in the first place? Also as far as I understand the fingerprint is derived from the servers public key for which only the server has the matching private key. So why is it even necessary to include anything like the domain or IP? Doesn't this only prevent me from accidently connecting to one of my other servers which I have saved in known_hosts?
Adding keys for every subdomain I use to connect to a server to known_hosts is my least preferred option since it's much more work and invites to ignore the key checking since one gets used to the fact that asks if the key is correct multiple times for the same server.
I think this post is related but it's just saying that it's handled that way and not why and if there's a way to change that behaviour.
Thanks in advance
Edit:
I also found this post now suggesting to disable StrictHostKeyChecking
but as far as I understand this allows to ssh-add all fingerprints which as far as I understand is a problem from a security standpoint. What I want is that, even if I use the domain to connect to the server, the IP is used for fingerprint checking (ssh resolves the ip itself anyway which you can see when using the -vvv
flag)