On Tue, Sep 29, 2020 at 10:56 PM Damien Miller <djm@xxxxxxxxxxx> wrote: > > On Tue, 29 Sep 2020, Nico Kadel-Garcia wrote: > > > As I understand this option, it does not help at all with the nearly > > inevitable re-use of the same IP address for a different host with a > > different hostkey in, for example, a modest DHCP based environment. > > Such environments are common both in smaller, private networks and in > > large public networks, and it's perhaps startlingly common in cloud > > environments: it's one of the reasons I'm so willing to disable > > $HOME/.ssh/known_hosts. > > Again, you should read the documentation for CheckHostIP. Turing it off > makes known_hosts solely bind to hostnames and, as long as you use names > to refer to hosts, avoids any problems caused by IP address reuse. Have you used AWS? Unless you spend the time and effort, the hostname registered in AWS DNS is based on the IP address. Many people do *not* use consistent subnets for distinct classes of server or specific OS images, so different servers wind up on the same IP address with distinct hostkeys based on factors like autoscaling, for which IP addresses are not predictable. You can work around it, by locking down and sharing hostkeys for your OS images, or by segregating subnets based on application and corresponding OS image. These present other burdens. For small networks, you can manage the keys and/or the DNS sanely and consistently. It's also much easier if the same person doing security tools like SSH is also managing DNS. But this is rare for larger environments. It's partly why I recommend the "disable known_hosts" hammer, it ends fiddling with what is likely to bite at an extremely inopportune moment. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
