From: Christoph Anton Mitterer <mail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Based on the previous documentation of the IgnoreUserKnownHosts directive, the average user could easily think that the default value “no” is the more secure choice (in the sense of “do not even check in ~/.ssh/known_hosts”). • Clarify in sshd_config(5), that a value of “yes” in the IgnoreUserKnownHosts directive, makes sshd(8) only trust the global known hosts list (/etc/ssh/ ssh_known_hosts). Signed-off-by: Christoph Anton Mitterer <mail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> --- sshd_config.5 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sshd_config.5 b/sshd_config.5 index 43cc826..4ed3afc 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -627,7 +627,9 @@ should ignore the user's during .Cm RhostsRSAAuthentication or -.Cm HostbasedAuthentication . +.Cm HostbasedAuthentication +and instead only trust the systemwide +.Pa /etc/ssh/ssh_known_hosts . The default is .Dq no . .It Cm IPQoS -- 2.1.4 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev