calestyo at scientia.net
2015-Feb-21 02:51 UTC
[PATCH] clarify how IgnoreUserKnownHosts works
From: Christoph Anton Mitterer <mail at christoph.anton.mitterer.name> Based on the previous documentation of the IgnoreUserKnownHosts directive, the average user could easily think that the default value ?no? is the more secure choice (in the sense of ?do not even check in ~/.ssh/known_hosts?). ? Clarify in sshd_config(5), that a value of ?yes? in the IgnoreUserKnownHosts directive, makes sshd(8) only trust the global known hosts list (/etc/ssh/ ssh_known_hosts). Signed-off-by: Christoph Anton Mitterer <mail at christoph.anton.mitterer.name> --- sshd_config.5 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sshd_config.5 b/sshd_config.5 index 43cc826..4ed3afc 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -627,7 +627,9 @@ should ignore the user's during .Cm RhostsRSAAuthentication or -.Cm HostbasedAuthentication . +.Cm HostbasedAuthentication +and instead only trust the systemwide +.Pa /etc/ssh/ssh_known_hosts . The default is .Dq no . .It Cm IPQoS -- 2.1.4