On Thu, 20 Feb 2020, James Ralston wrote: > On Fri, Feb 14, 2020 at 1:25 AM Damien Miller <djm@xxxxxxxxxxx> wrote: > > A future release of OpenSSH will enable UpdateHostKeys by default to > > allow the client to automatically migrate to better algorithms. > > Users may consider enabling this option manually. > > When you say “enable UpdateHostKeys by default,” do you mean a future > release of OpenSSH will default it to “ask”, or default it to “yes”? The default will be 'yes' unless the user has overridden UserKnownHostsFiles, in which case it will be 'no'. > The only other option with no/ask/yes options that doesn’t default to > no is StrictHostKeyChecking, which defaults to ask, so I suspect the > future default will be ask, not yes. > > I ask (no pun intended, ha) because we’d like to set UpdateHostKeys > _now_ to what the future default will be, but it’s not clear from the > announcement whether the future default will be ask or yes. You're certainly welcome to do that, but you should be warned that there are some corner-case bugs that are known to exist relating to host certificates and @revoked keys. If you're not using either of those then I'd appreciate your running with UpdateHostKeys=yes and reporting your experience. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
