On Tue, Sep 29, 2020 at 8:22 PM Darren Tucker <dtucker@xxxxxxxxxxx> wrote: > > On Tue, 29 Sep 2020 at 23:16, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote: > [...] > > I gave up on $HOME/.ssh/known_hosts a *long* time ago, because if > > servers are DHCP distributed without static IP addresses they can wind > > up overlapping IP addresses with mismatched hostkeys > > You can set CheckHostIP=no in your config. As long as the names don't > change it'll do what you want, and it's far safer than what you > suggest. > > [...] > > This has been the case since SSH-1 was written in 1995. > > CheckHostIP was added to OpenSSH in 1999 before the first release and > has been in every release since: > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c.diff?r1=1.7&r2=1.8&f=h As I understand this option, it does not help at all with the nearly inevitable re-use of the same IP address for a different host with a different hostkey in, for example, a modest DHCP based environment. Such environments are common both in smaller, private networks and in large public networks, and it's perhaps startlingly common in cloud environments: it's one of the reasons I'm so willing to disable $HOME/.ssh/known_hosts. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
