Re: future default for UpdateHostKeys: ask or yes?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, 20 Feb 2020, James Ralston wrote:

> On Fri, Feb 14, 2020 at 1:25 AM Damien Miller <djm@xxxxxxxxxxx> wrote:
> > A future release of OpenSSH will enable UpdateHostKeys by default to
> > allow the client to automatically migrate to better algorithms.
> > Users may consider enabling this option manually.
> 
> When you say “enable UpdateHostKeys by default,” do you mean a future
> release of OpenSSH will default it to “ask”, or default it to “yes”?

The default will be 'yes' unless the user has overridden
UserKnownHostsFiles, in which case it will be 'no'.

> The only other option with no/ask/yes options that doesn’t default to
> no is StrictHostKeyChecking, which defaults to ask, so I suspect the
> future default will be ask, not yes.
> 
> I ask (no pun intended, ha) because we’d like to set UpdateHostKeys
> _now_ to what the future default will be, but it’s not clear from the
> announcement whether the future default will be ask or yes.

You're certainly welcome to do that, but you should be warned that
there are some corner-case bugs that are known to exist relating to
host certificates and @revoked keys. If you're not using either of
those then I'd appreciate your running with UpdateHostKeys=yes and
reporting your experience.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux