Re: why won't openssh work with hosts file?
From: Michael Erdely (mike_at_erdelynet.com)
To: sean darcy <firstname.lastname@example.org> Date: Mon, 29 Dec 2003 20:07:43 -0500
On Mon, 2003-12-29 at 19:00, sean darcy wrote:
> > > Why didn't OpenSSH ask me if I'd accept the host? What's the difference
> > > between StrictHostKeyChecking yes and ask ?
> >See below.
> >From "man 5 ssh_config":
> > StrictHostKeyChecking
> > . . . If this flag is set to ``ask'', new host keys
> > will be added to the user known host files only after the
> > has confirmed that is what they really want to do, and ssh
> > refuse to connect to hosts whose host key has changed. . .
> But that's the problem. OpenSSH didn't "ask". It didn't give the user an
> opportunity to confirm that is what he really wants to do.
> Why not?
Read it again... slowly.
If the flag is set to ask, NEW keys will be added, but ssh will refuse
to connect for hosts whose key has CHANGED.
Since you had an entry with a different key, ssh assumes that it
changed. This could be a man-in-the-middle attack. It's up to you to
verify the correct key and delete the incorrect entry from your
known_hosts file. Remember what the first "s" stands for in SSH.