Hi Damien, UpdateHostkeys is an interesting feature. I hope you plan to document it somewhat better in the ssh_config.5 file than is currently present? My reading of the documentation is that it is ambiguous as to the following: if StrictHostKeyChecking=yes and UpdateHostkeys=yes which option wins? (My vote is that StrictHostKeyChecking=yes wins every time.) If the hostkey that matches is found in GlobalKnownHostsFile, then I hope that the UpdateHostKeys is NOT used to update the UserKnownHostsFile ... My vote is to assume that the GlobalKnownHostsFile is being properly managed and maintained for the listed hosts and UpdateHostKeys would be ignored in this case. I am unclear what happens with UpdateHostKeys when the key is found via DNS SSHFP and the use of VerifyHostKeyDNS settings. My vote is that if the key is found in DNS SSHFP records, the UpdateHostKeys does NOT get used to add to the UserKnownHostsFile. How do CheckHostIP=yes and UpdateHostKeys play together? It is not clear to me if the HostIP fingerprints AND the Hostname fingerprint recards are BOTH to be added via the UpdateHostKeys directive or not. I believe it would be wise to be explicit with regards to these impacts to the UpdateHostKeys option as described in the man page. Thank you for your considerating of these questions. Be safe, stay healthy, -- Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
