[PATCH] clarify how IgnoreUserKnownHosts works

calestyo at scientia.net calestyo at scientia.net
Sat Feb 21 13:51:02 AEDT 2015

From: Christoph Anton Mitterer <mail at christoph.anton.mitterer.name>

Based on the previous documentation of the IgnoreUserKnownHosts directive, the
average user could easily think that the default value “no” is the more secure
choice (in the sense of “do not even check in ~/.ssh/known_hosts”).

• Clarify in sshd_config(5), that a value of “yes” in the IgnoreUserKnownHosts
  directive, makes sshd(8) only trust the global known hosts list (/etc/ssh/

Signed-off-by: Christoph Anton Mitterer <mail at christoph.anton.mitterer.name>
 sshd_config.5 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sshd_config.5 b/sshd_config.5
index 43cc826..4ed3afc 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -627,7 +627,9 @@ should ignore the user's
 .Cm RhostsRSAAuthentication
-.Cm HostbasedAuthentication .
+.Cm HostbasedAuthentication
+and instead only trust the systemwide
+.Pa /etc/ssh/ssh_known_hosts .
 The default is
 .Dq no .
 .It Cm IPQoS

More information about the openssh-unix-dev mailing list