Nico Kadel-Garcia wrote: > And... *THIS* is why so many people disable known_hosts entirely. The > chance of an IP address being reused for a distinct hostname is pretty > high in a DHCP environment without reservations, coupled with dynamic > DNS. It's also very common when servers get rebuilt from images and > fresh hostkeys generated automatically on the same hardware, even with > the same IP address. The popular solution is to simply disable > known_hosts in your ~/.ssh/config as needed: I mitigate this in two different ways. For one if servers are getting rebuilt routinely such as for testing or for scaling-out or just normal replacement then I always install the same role key for those servers. It's a replacement for a previous server? Then it gets the same role key as the prior server. The second thing I do is I build a global ssh_known_hosts with the known host keys of the dynamic server pool systems. Since the key is in the system level ssh_known_hosts then it doesn't get added to user level known_hosts file. And the system level file is updated as needed. That's not to say that I don't /dev/null host keys in some cases too. Here if I connect to an IP address then I know it is just a one-off not to be saved and I discard host keys in that case. Bob _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev