[PATCH] clarify how IgnoreUserKnownHosts works
calestyo at scientia.net
calestyo at scientia.net
Sat Feb 21 13:51:02 AEDT 2015
From: Christoph Anton Mitterer <mail at christoph.anton.mitterer.name>
Based on the previous documentation of the IgnoreUserKnownHosts directive, the
average user could easily think that the default value “no” is the more secure
choice (in the sense of “do not even check in ~/.ssh/known_hosts”).
• Clarify in sshd_config(5), that a value of “yes” in the IgnoreUserKnownHosts
directive, makes sshd(8) only trust the global known hosts list (/etc/ssh/
ssh_known_hosts).
Signed-off-by: Christoph Anton Mitterer <mail at christoph.anton.mitterer.name>
---
sshd_config.5 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sshd_config.5 b/sshd_config.5
index 43cc826..4ed3afc 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -627,7 +627,9 @@ should ignore the user's
during
.Cm RhostsRSAAuthentication
or
-.Cm HostbasedAuthentication .
+.Cm HostbasedAuthentication
+and instead only trust the systemwide
+.Pa /etc/ssh/ssh_known_hosts .
The default is
.Dq no .
.It Cm IPQoS
--
2.1.4
More information about the openssh-unix-dev
mailing list