From owner-freebsd-security Mon Nov 22 8:47:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from funky.monkey.org (funky.monkey.org [63.77.239.12]) by hub.freebsd.org (Postfix) with ESMTP id 04D2414CCC for ; Mon, 22 Nov 1999 08:47:12 -0800 (PST) (envelope-from provos@monkey.org) Received: by funky.monkey.org (Postfix, from userid 1007) id B028715184; Mon, 22 Nov 1999 11:41:32 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by funky.monkey.org (Postfix) with ESMTP id A205A14A01; Mon, 22 Nov 1999 11:41:32 -0500 (EST) Date: Mon, 22 Nov 1999 11:41:32 -0500 (EST) From: Niels Provos To: Robert Watson Cc: Dug Song , Tomaz Borstnar , freebsd-security@freebsd.org Subject: Re: OpenSSH & AllowHosts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 22 Nov 1999, Robert Watson wrote: > regularly connect to. I found that the new OpenSSH ignores the > hostname-based entries and adds new IP-based entries automatically, with > minimal warning. Is it doing all lookups based on IP and adding the key It does not ignore them. It does additional checking with the IP address. You can disable this behaviour by setting CheckHostIP = no in your config file. > asking for confirmation, even though host keys are already present with a > by-name lookup, I'm not sure I like the behavior--names are more likely to > remain consistent in the world of NATs, dynamic IPs with DNS update, etc. IP address are only added if the host key associated with the domain name matches. Did you actually encounter any problems with this? Yes, there are many NATed networks and dynamic IPs out there, but most of them are not used for remote login. As I said set CheckHostIP = no solves this, if it is a problem for you. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message