Date: Mon, 22 Nov 1999 13:21:10 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Niels Provos <provos@monkey.org> Cc: Dug Song <dugsong@monkey.org>, Tomaz Borstnar <tomaz.borstnar@over.net>, freebsd-security@freebsd.org Subject: Re: OpenSSH & AllowHosts Message-ID: <Pine.BSF.3.96.991122115230.29731A-100000@fledge.watson.org> In-Reply-To: <Pine.BSO.4.10.9911221138380.22842-100000@funky.monkey.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 22 Nov 1999, Niels Provos wrote: > On Mon, 22 Nov 1999, Robert Watson wrote: > > regularly connect to. I found that the new OpenSSH ignores the > > hostname-based entries and adds new IP-based entries automatically, with > > minimal warning. Is it doing all lookups based on IP and adding the key > It does not ignore them. It does additional checking with the IP address. > You can disable this behaviour by setting CheckHostIP = no in your config > file. > > > asking for confirmation, even though host keys are already present with a > > by-name lookup, I'm not sure I like the behavior--names are more likely to > > remain consistent in the world of NATs, dynamic IPs with DNS update, etc. > IP address are only added if the host key associated with the domain name > matches. Did you actually encounter any problems with this? Yes, there This is what I wanted to know--that is, that existing host keys were being used. Limited use of dynamic IPs with DNS update is something that may end in the near-term future, and is something that probably should not be relied on. For example, my boxes off of a DSL line in my home currently have static IPs, but Bell Atlantic will be moving to PPPoE and dynamic IPs in the not-so-distant future. It's also not clear to my that IP checking improves security--instead it could cause bogus errors in the presence of dynamic update or changing IPs. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991122115230.29731A-100000>