future default for UpdateHostKeys: ask or yes?

Damien Miller djm at mindrot.org
Fri Feb 21 10:15:08 AEDT 2020

On Thu, 20 Feb 2020, James Ralston wrote:

> On Fri, Feb 14, 2020 at 1:25 AM Damien Miller <djm at openbsd.org> wrote:
> > A future release of OpenSSH will enable UpdateHostKeys by default to
> > allow the client to automatically migrate to better algorithms.
> > Users may consider enabling this option manually.
> When you say “enable UpdateHostKeys by default,” do you mean a future
> release of OpenSSH will default it to “ask”, or default it to “yes”?

The default will be 'yes' unless the user has overridden
UserKnownHostsFiles, in which case it will be 'no'.

> The only other option with no/ask/yes options that doesn’t default to
> no is StrictHostKeyChecking, which defaults to ask, so I suspect the
> future default will be ask, not yes.
> I ask (no pun intended, ha) because we’d like to set UpdateHostKeys
> _now_ to what the future default will be, but it’s not clear from the
> announcement whether the future default will be ask or yes.

You're certainly welcome to do that, but you should be warned that
there are some corner-case bugs that are known to exist relating to
host certificates and @revoked keys. If you're not using either of
those then I'd appreciate your running with UpdateHostKeys=yes and
reporting your experience.


More information about the openssh-unix-dev mailing list