Re: can openssh/logins be exploited this way?

From: Neil W Rickert (rickert+nn@cs.niu.edu)
Date: 01/20/03 

From: Neil W Rickert <rickert+nn@cs.niu.edu>
Date: 19 Jan 2003 23:13:24 GMT

"Andreas Bittner" <bittner@hotmail.com> writes:

>maybe i didnt quite explain the dyndns problem.

>i have a dyndns name registered because i have a dynamic home customer dsl
>provider which changes ips/redials every 24hours..

>so no matter if i had the real "myname.dyndns.org" machine in my ssh public
>keys already, since after 24hours it gets a new name, each time a new ip is
>saved into my known hosts, isnt this correct?

>From the openssh man pages

     CheckHostIP
          If this flag is set to ``yes'', ssh will additionally
          check the host IP address in the known_hosts file.
          This allows ssh to detect if a host key changed due to
          DNS spoofing. If the option is set to ``no'', the
          check will not be executed. The default is ``yes''.

It would seem that you should set CheckHostIP to "no", at least for
connecting to your dynamic host. Then only the hostname is matched
up with the known_hosts file data. That way you should only be
prompted when something is amiss (such as connecting to the wrong
host).

>does ssh -2 -l username myhost.dyndns.org save an ip-independant entry in
>the known hosts? or does it resolve the name to an ip and saves that?

Normally it will save both IP and hostname. By turning off the IP
check, it should use only the hostname, which is better when the IP
is dynamic but the hostname is constant.

Relevant Pages