Package: openssh-client Version: 1:6.6p1-7 Severity: wishlist ssh_config(5) says about CheckHostIP: > This allows ssh to detect if a host key changed due to DNS spoofing. I think the situations where that detection might be helpful are quite rare. In the case of spoofing there will always be a message about the changed key for the hostname. On the other hand having it set to yes causes annoyance: * UserKnownHostsFile grows for each host with dynamic DNS * in networks with DHCP pools and dynamic DNS IPs get shuffled around and you'll often get false alarms * updating the hostkey of a multi-IPed server (perhaps a set of servers with RR DNS) by hand is hard because you have to find all the additional IP entries (with HashKnownHosts=on this might be even harder) * when using openssh-known-hosts with filters you filter for hostnames, not IPs, because you can't know the IPs an organization (such as debian) will receive next for hosting their services: + UserKnownHostsFile will get entries for each IP + an updated hostkey in the centrally managed known_hosts file will not be changed in UserKnownHostsFile leading to false alarms I guess most people don't and shouldn't have to care about the IP address(es) the server they connect to currently has, the connection between hostname and hostkey is enough. Therefore please set the default for CheckHostIP to no. Greetings Timo
Attachment:
signature.asc
Description: This is a digitally signed message part.