On Thu, Mar 14, 2019 at 8:01 PM Josh Soref <jsoref@xxxxxxxxx> wrote: > > Out of curiosity, why don't you just not store a host key for such systems? > That's what we do: > UserKnownHostsFile /dev/null > > Historically I would have been interested in such a thing, but I've long > since given up. You forgot "LogLevel Error" and "StrictHostKeyCheckng no" to completely disable the use of $HOME/.ssh/known_hosts and make it shut up. If the hosts I dealt with would have consistent IP addresses and DNS tied to host keys, I'd say "this is a potential security risk". However, I deal with multiple raw OS images deployed into virtualization environments with DHCP randomized IP addresses, regenerated multiple times a day, as a matter of course. The cost of saying "flush another old key" all the time is burdensome. That much extra work is actually anti-security. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev