Misleading documentation for StrictHostKeyChecking

Simon Ruderich simon at ruderich.org
Sun Apr 30 02:29:08 AEST 2023


the ssh_config man page for StrictHostKeyChecking contains a
misleading sentence. The description of the option ends with "The
host keys of known hosts will be verified automatically in all
cases.". This sounds to me like no matter the value of
StrictHostKeyChecking the host keys are verified; "verified"
meaning "don't connect if they don't match".

Maybe I'm misinterpreting the intended meaning of "verified" in
this context, but I think my interpretation is the obvious one
for most readers. Also, as the sentence is at the end of the
paragraph it sounds like it applies to the whole and thus to all
possible option values.

Recent versions of the documentation correctly explain the actual
behavior in the earlier part of the paragraph ("If this flag is
set to no or off, ssh will automatically add new host keys to the
user known hosts files and allow connections to hosts with
changed hostkeys to proceed, subject to some restrictions.").

Please consider removing this sentence as all important
information is already present in the paragraph and the sentence
is confusing.

+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230429/03b6fcce/attachment.asc>

More information about the openssh-unix-dev mailing list