On Fri, Oct 18, 2024 at 1:31 PM Jan Eden <tech@xxxxxxxx> wrote: > > On 2024-10-17 19:26, Nico Kadel-Garcia wrote: > > > > Thank you! Increasing the verbosity revealed a known_hosts entry linked > > > to serverA's IP address (I had forgotten that I had connected to it by > > > IP address at some point). Deleting this entry solved the problem; the > > > new host key was stored in known_hosts when I connected to serverA > > > again. > > > > > > - Jan > > > > And... *THIS* is why so many people disable known_hosts entirely. The > > chance of an IP address being reused for a distinct hostname is pretty > > high in a DHCP environment without reservations, coupled with dynamic > > DNS. It's also very common when servers get rebuilt from images and > > fresh hostkeys generated automatically on the same hardware, even with > > the same IP address. The popular solution is to simply disable > > known_hosts in your ~/.ssh/config as needed: > > > > # Disable known_hosts to avoid IP re-use conflicts > > Host * > > UserKnownHostsFile /dev/null > > StrictHostKeyChecking no > > LogLevel ERROR > > Thanks for the hint. How would I verify a server's identity without > known_hosts / StrictHostKeyChecking? By verifying it with a TLS signature, if you feel the need to spend the effort. Those don't scale well. Otherwise, known_hosts entries are pretty much "first-come, first serve", and whoever's key is accepted first can commit a quite successful denial of service attack against the second host. That's actually the *idea*, but it presumes that the host_keys are consistent and stable identifiers rather than merely public/private key pairs to ensure protection of content. When the world was much smaller, back in 1995, known_hosts was pretty useful. IP addresses and DNS were pretty stable and not prone to modern drift, such as occur in auto-scaling in cloud based VLANs. But re-use of IP addresses has become commonplace, especially with the address space limits of IPv4 and the refusal of so many to even bother with IPv6. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev