I'm working at the UofA, and we use openssh all over the place (actually it's the only remote connection tool we use within our groups domain of influence. Save pop I suppose...). Anyways, for various reasons we have UseDNS set to ``yes''. This however is about 50% of our connection problems that our users have. Cable and even the DSL ISP's around here suck when it comes to managing and actually keeping their DNS up-to-date. Now, if the ssh client had a cookie of sorts (public key?) that it always sent (generated on first startup) when it connected to the server, I could envision a scenario where you would cache the tuple <username, cookie, IP, DNS>. The <username, cookie> portion would be a "hard key", where both would need to match in the database. The <IP, DNS> portion should be configurable, in our case we would want at least one to match, and upon a mismatch in either the DNS or IP (DHCP client, or DNS fuckup), to add that entry into the database as well. Each entry in the database would have a lifetime, and this lifetime would be updated each time you hit the entry in the database. If your tuple does not exist in the database, I could see sshd spitting back "Sorry, you're coming from a host/etc that you don't usually come from, please connect to https://foo.org/blahonga to authenticate further." and then closes the connection. Then on that web-site (or whatever the admin makes it spit back), you have a means to administer the cache entries. "So, you're coming in from a web cafe? Ok, set timeout to 1 day.", etc... Is this sort of thing doable? Is it desirable? Was the above clear? --Toby.