Question on DNS spoofing and CheckHostIP


I have a question on the IP address check performed by ssh clients as
part of key verification against entries in known_hosts file. ( i.e.
the additional checks that are turned on when we set 'CheckHostIP' to
'Yes' in ssh_config file).

As per the man page of ssh_config:

If this flag is set to "yes", ssh will additionally check the
host IP address in the known_hosts file. This allows ssh to
detect if a host key changed due to DNS spoofing. If the option
is set to "no", the check will not be executed. The default is

However, I am not able to understand the situations in which this
check will be able to detect any DNS spoofing other what can be
detected by regular host key verification.

Consider this situation:
hostA is IP address is
known_hosts file in hostB has entry for hostA, as below:
hostA, ssh-rsa <key......>

From hostB, I execute
ssh myuser@hostA

Let us say, there is DNS spoofing and hence I get connected to a different host.

ssh will try to search in the known_hosts for an entry corresponding
to hostA. It tries to match the key found with what was given by the
remote end. There is key mismatch and user is informed.
In such a case, regular host name checking was enough to detect the
DNS spoofing. The IP address check did not even come into picture.

If at all, the remote end had the correct keys, then both host name
and IP address check would have passed. Here, the IP address check
does not give any additional security.

In summary, I am not able to understand the additional benefits in
doing 'CheckHostIP'.

Your comments on this would really help.


Relevant Pages

  • RE: sshd / ssh setup
    ... We have an Remote FreeBSD system which is located some where on the ... This method gives the maximum protection possible utilizing ssh. ... Host setup steps. ... Reboot your system to activate sshd and login as root. ...
  • SSH filter transer, was Re: Soft Update - directory/file listing
    ... But SSH file transfer is painfully slow all the time. ... ## SSH 3.2 Server Configuration File ... # Note that forwardings using the name of this host will be allowed (if ...
  • Re: [opensuse] Re: OpenSUSE PuTTY ?
    ... PuTTY lets you set up all kinds of special options, tied to which host ... The ssh daemon on the host machine is usually activated by default, ... As a taster to open a remote session in a new window in any konsole ... Windows users should explore Cygwin as this will allow you to run ssh ...
  • Re: Disable name canonicalization for OpenSSH GSSAPI
    ... The issue I'm having is with a new server ... I'm unable to setup the correct reverse ... When I attempt to connect to this host with SSH, ...
  • Re: hacked?
    ... So I ssh'd in and did a netstat and saw what looked like an unwanted SSH connection... ... On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps/services. ...