Date: Mon, 22 Nov 1999 11:41:32 -0500 (EST) From: Niels Provos <provos@monkey.org> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Dug Song <dugsong@monkey.org>, Tomaz Borstnar <tomaz.borstnar@over.net>, freebsd-security@freebsd.org Subject: Re: OpenSSH & AllowHosts Message-ID: <Pine.BSO.4.10.9911221138380.22842-100000@funky.monkey.org> In-Reply-To: <Pine.BSF.3.96.991122005937.27394A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 22 Nov 1999, Robert Watson wrote: > regularly connect to. I found that the new OpenSSH ignores the > hostname-based entries and adds new IP-based entries automatically, with > minimal warning. Is it doing all lookups based on IP and adding the key It does not ignore them. It does additional checking with the IP address. You can disable this behaviour by setting CheckHostIP = no in your config file. > asking for confirmation, even though host keys are already present with a > by-name lookup, I'm not sure I like the behavior--names are more likely to > remain consistent in the world of NATs, dynamic IPs with DNS update, etc. IP address are only added if the host key associated with the domain name matches. Did you actually encounter any problems with this? Yes, there are many NATed networks and dynamic IPs out there, but most of them are not used for remote login. As I said set CheckHostIP = no solves this, if it is a problem for you. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.10.9911221138380.22842-100000>