Re: ssh host ip/id management for dynamic dns servers [OT?]
On 02/11/2014 03:52 PM, Paul E Condon wrote:
> ... Known host checking is done, I think, to defend against 'man in
> the middle', so when the known host key changes because of some event
> down in the bowels of dynamic dns, does one have any possibility of
> determining that it is truly *not* a man-in-the-middle attack? Is
> there some method for checking up on dynamic dns changes other than
> merely noting the new value and adapting to it? ...
The host key does not change in this case, it's just that with dynamic
DNS the same host gets a new IP address. That means that the same key
can have multiple entries in known_hosts. known_hosts can get long and
unwieldy, filling with ip numbers that will never be used again.
In the case where the host key does get changed (system replaced without
backing up keys, for example) then StrictHostKeyChecking set to 'yes' or
'ask' shows the fingerprint before adding it to known_hosts. It is also
possible to pre-load in advance the user's known_hosts or the system's
known host with the appropriate public key.
Regards,
/Lars
Reply to: