Paul E Condon:
>
> I'm puzzled about the apparent 'security theater' on this topic.
> Known host checking is done, I think, to defend against 'man in the
> middle',
Exactly.
> so when the known host key changes because of some event down
> in the bowels of dynamic dns, does one have any possibility of
> determining that it is truly *not* a man-in-the-middle attack?
DynDNS doesn't have anything to do with your host key. The host key
doesn't change. If OpenSSH really alerts you of a changed host key, then
you are either not connecting to the system you expected to connect to
or its host key really has changed.
OpenSSH just records keys of hosts it has connected to
using the IP address *and* the name of the host. If the IP changes,
OpenSSH doesn't know the new combination of IP address and hosts key and
therefore asks to store it (again) in the known_hosts file.
"CheckHostIP no" should take care of that issue.
J.
--
I worry about people thinking I have lost direction.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature