Human readable .ssh/known_hosts?
Nico Kadel-Garcia
nkadel at gmail.com
Wed Sep 30 13:09:33 AEST 2020
On Tue, Sep 29, 2020 at 10:56 PM Damien Miller <djm at mindrot.org> wrote:
>
> On Tue, 29 Sep 2020, Nico Kadel-Garcia wrote:
>
> > As I understand this option, it does not help at all with the nearly
> > inevitable re-use of the same IP address for a different host with a
> > different hostkey in, for example, a modest DHCP based environment.
> > Such environments are common both in smaller, private networks and in
> > large public networks, and it's perhaps startlingly common in cloud
> > environments: it's one of the reasons I'm so willing to disable
> > $HOME/.ssh/known_hosts.
>
> Again, you should read the documentation for CheckHostIP. Turing it off
> makes known_hosts solely bind to hostnames and, as long as you use names
> to refer to hosts, avoids any problems caused by IP address reuse.
Have you used AWS? Unless you spend the time and effort, the hostname
registered in AWS DNS is based on the IP address. Many people do *not*
use consistent subnets for distinct classes of server or specific OS
images, so different servers wind up on the same IP address with
distinct hostkeys based on factors like autoscaling, for which IP
addresses are not predictable. You can work around it, by locking down
and sharing hostkeys for your OS images, or by segregating subnets
based on application and corresponding OS image. These present other
burdens.
For small networks, you can manage the keys and/or the DNS sanely and
consistently. It's also much easier if the same person doing security
tools like SSH is also managing DNS. But this is rare for larger
environments. It's partly why I recommend the "disable known_hosts"
hammer, it ends fiddling with what is likely to bite at an extremely
inopportune moment.
More information about the openssh-unix-dev
mailing list