Re: why won't openssh work with hosts file?

From: Michael Erdely (mike_at_erdelynet.com)
Date: 12/30/03

  • Next message: Michael Erdely: "Re: why won't openssh work with hosts file?"
    To: sean darcy <seandarcy@hotmail.com>
    Date: Mon, 29 Dec 2003 20:07:43 -0500
    
    

    On Mon, 2003-12-29 at 19:00, sean darcy wrote:
    >
    > > > Why didn't OpenSSH ask me if I'd accept the host? What's the difference
    > > > between StrictHostKeyChecking yes and ask ?
    > >
    > >See below.
    > >
    > .................................
    > >From "man 5 ssh_config":
    > > StrictHostKeyChecking
    > > . . . If this flag is set to ``ask'', new host keys
    > > will be added to the user known host files only after the
    > >user
    > > has confirmed that is what they really want to do, and ssh
    > >will
    > > refuse to connect to hosts whose host key has changed. . .
    > >.
    > >
    >
    > But that's the problem. OpenSSH didn't "ask". It didn't give the user an
    > opportunity to confirm that is what he really wants to do.
    >
    > Why not?
    >
    > sean
    Read it again... slowly.
    If the flag is set to ask, NEW keys will be added, but ssh will refuse
    to connect for hosts whose key has CHANGED.

    Since you had an entry with a different key, ssh assumes that it
    changed. This could be a man-in-the-middle attack. It's up to you to
    verify the correct key and delete the incorrect entry from your
    known_hosts file. Remember what the first "s" stands for in SSH.

    -ME


  • Next message: Michael Erdely: "Re: why won't openssh work with hosts file?"