search for: checkhostip

...n this change: On Wed, 29 Mar 2023 at 19:38, Ed Maste <emaste at freefall.freebsd.org> wrote: > > From: Ed Maste <emaste at FreeBSD.org> > > By convention settings in ssh_config are shown with a commented out > default. > > Fixes: 6cb52d5bf771 ("upstream: make CheckHostIP default to 'no'...") > --- > ssh_config | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ssh_config b/ssh_config > index 842ea866c..1eb1c0063 100644 > --- a/ssh_config > +++ b/ssh_config > @@ -25,7 +25,7 @@ > # GSSAPIAuthenticat...

...29 Sep 2020 at 23:16, Nico Kadel-Garcia <nkadel at gmail.com> wrote: [...] > I gave up on $HOME/.ssh/known_hosts a *long* time ago, because if > servers are DHCP distributed without static IP addresses they can wind > up overlapping IP addresses with mismatched hostkeys You can set CheckHostIP=no in your config. As long as the names don't change it'll do what you want, and it's far safer than what you suggest. [...] > This has been the case since SSH-1 was written in 1995. CheckHostIP was added to OpenSSH in 1999 before the first release and has been in every release si...

Hello, maybe someone could please help and shed some light on a problem that i don't understand, and that even in multiple ways. The problem occurred three or four times over the past months (maybe half a year?) and manifests as ++ Pushing to "gitlab" (at least "master" differs)! Warning: Permanently added the RSA host key for IP address '104.46.105.89' to the

Hi, it becomes more and more common to have machines with dynamically assigned IP addresses online (e.g. DSL), which can be found through dynamic DNS entries. Unfortunately, the "Known Hosts" mechanism doesn't work for these machines: Since the entry is made for the IP address, there's a new entry every time the address changes. Therefore, an option should be invented

...081:6101:6552:9ca8:512b:9251' to the list of known hosts. > > > I find this quite disturbing (and it breaks some non interactive > scripts). Is it the intended behaviour ? No - I think you've stumbled on a corner case I hadn't anticipated. Does your configuration override CheckHostIP at all? What are the known_hosts entries for the hostname and IP? Thanks, Damien

On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote: > On Sun, 4 Oct 2020, Damien Miller wrote: > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > Does your configuration override CheckHostIP at all? No. > > > > What are the known_hosts entries for the hostname and IP? > > Also, do you use HashKnownHosts? or do you have any hashed host lines > in known_hosts? Yes I use HashKnownHosts yes Here are all the lines from my known_hosts.old that contains the public k...

On Sun, 4 Oct 2020, Christoph Anton Mitterer wrote: > On Sun, 2020-10-04 at 14:02 +1100, Damien Miller wrote: > > This is strictly no worse than continuing to use the old key, so I > > don't consider it a problem. > > Well but in reality it will lead to people never again replace their > key by proper means. Well, first I disagree that this method is improper. The

...Such environments are common both in smaller, private networks and in > large public networks, and it's perhaps startlingly common in cloud > environments: it's one of the reasons I'm so willing to disable > $HOME/.ssh/known_hosts. Again, you should read the documentation for CheckHostIP. Turing it off makes known_hosts solely bind to hostnames and, as long as you use names to refer to hosts, avoids any problems caused by IP address reuse.

...<dtucker at dtucker.net> --- (In reply to Marc Herbert from comment #8) > Digression: with many operating systems using randomized IPv6 > addresses by default for privacy reasons, using ssh to .local > systems on the same LAN causes uncontrollable .ssh/know_hosts growth. You can set CheckHostIP=no for those hosts, eg Host *.local CheckHostIP no -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.

...much (I hope it doesn't get stripped off by the mailing list software). Some basic configuration info: ssh_config (stripped): Host hostname.domainname.tld PreferredAuthentications hostbased,publickey,password HostbasedAuthentication yes GlobalKnownHostsFile /etc/ssh/ssh_known_hosts2 CheckHostIP yes StrictHostKeyChecking ask Protocol 2 sshd_config (stripped): Protocol 2 HostbasedAuthentication yes IgnoreRhosts no shosts.equiv (stripped): 192.168.1.5 hostname.domainname.tld + + (Last line just for testing, obviously.) ls /etc/ssh/: ssh_host_dsa_key ssh_host_dsa_k...

...system wide known hosts file, but only for the hostname and not for the IP address. It says: Failed to add the RSA host key for IP address '129.187.131.211' to the list of known hosts (/var/lib/nagios/.ssh/known_hos). (btw: Notice that it cuts the file name, is this another bug?) While CheckHostIP no prevents the above, it also means (AFAIU) that the IP is not checked, FOR WHICH it was e.g. manually added. Not sure whether this is a bug, or a documentation issue.... and what the right way around is (CheckHostIP no? or UserKnownHostsFile /dev/null ? ) Cheers, Chris. -- Configure bugmail...

Hi, I've found the option in CentOS 7 in sshd_config file #Host *.local # CheckHostIP no I think that option is for ssh_config, not for sshd_config. Please correct me if I'm wrong. Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org

...hostfile.c] indent, shorter warning - [nchan.c] use error() for internal errors - [packet.c] set loglevel for SSH_MSG_DISCONNECT to log(), not fatal() serverloop.c indent - [ssh-add.1 ssh-add.c ssh.h] document $SSH_ASKPASS, reasonable default - [ssh.1] CheckHostIP is not available for connects via proxy command - [sshconnect.c] typo easier to read client code for passwd and skey auth turn of checkhostip for proxy connects, since we don't know the remote ip 19991126 - Add definition for __P() - Added [v]snprintf() replacement for syst...

...-o HostKeyAlias="${Alias}" \ > -o GlobalKnownHostsFile="${EmbeddedKnownHosts}" \ > -o UserKnownHostsFile="${ClientSpecificKnownHosts}" \ > -o StrictHostKeyChecking="yes" \ > -o CheckHostIP="no" \ > -o NumberOfPasswordPrompts=0 \ > ${User}@${Host} 2>/dev/null Then whatever executes this command line does *not* understand (and eat) the "2>/dev/null" like shells of the Bourne family should, hence it winding up in the s...

...out having to arbitrate ports between clients. The idea is to configure the server to allow StreamLocalForwarding via a unique Unix socket on the host, that relays back to the client. i.e. on the client (named gateway for this example, but will be unique once deployed in volume): /usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o ServerAliveCountMax=3 -o ServerAliveInterval=5 -o StrictHostKeyChecking=yes -o TCPKeepAlive=yes -o StreamLocalBindUnlink=yes -o ExitOnForwardFailure=yes -o BatchMode=yes -nN -R /sshvpn/gateway:127.0.0.1:22 -p 52221 sshvpn at host On the server: Match User sshvpn ChrootDi...

...known_hosts, when e.g. the sysadmin managed ssh_known_hosts replaces legacy keys. > The > debug output from ssh -vvv should give a clue as to what is going > on, so please attach one. will do that in a minute (In reply to Damien Miller from comment #8) > The OP's question is the CheckHostIP option updating addresses for > hostnames it already knows about. We could probably clarify the > documentation for this behaviour Well, see above,... I think it shouldn't (even if the documentation was updated),... I think it's really security sensitive... But adding information abo...

...d VK4MSL <me at vk4msl.com> wrote: > [...] >> The crux of this is that we cannot assume the local IPv4 address is >> unique, since it's not (and in many cases, not even static). > > If the IP address is not significant, you can tell ssh to not record > them ("CheckHostIP no"). If I understand correctly, you need to *know* the target system's local 172-ish IP to be able to log in. If so, and your DNS admin frowns at setting up 16 million RRs to cover 172.0.0.0/8 in preparation, sslip.io might be helpful. https://sslip.io/ Otherwise, and assuming a *ma...

...compression algorithm is the same used by gzip(1), and the @@ -215,6 +219,7 @@ DESCRIPTION AddressFamily BatchMode BindAddress + BindPort ChallengeResponseAuthentication CheckHostIP Cipher diff -rupN openssh-5.8p2//ssh.1 openssh-5.8p2-srcport//ssh.1 --- openssh-5.8p2//ssh.1 2010-11-20 04:21:03.000000000 +0000 +++ openssh-5.8p2-srcport//ssh.1 2011-07-17 20:56:13.265387325 +0100 @@ -45,6 +45,7 @@ .Bk -words .Op Fl 1246AaCfgKkMNnqsTtVvXxYy .Op Fl b Ar bind_...

...hconnect.c | 87 +++++++++++++++++++++++++++++++++++++++++++++ openssh-3.8p1/sshconnect.h | 4 ++ 9 files changed, 156 insertions(+), 2 deletions(-) Index: ssh.1 --- openssh-3.8p1.orig/ssh.1 (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/ssh.1 (revision 25) @@ -614,6 +614,7 @@ .It CheckHostIP .It Cipher .It Ciphers +.It CloseCommand .It ClearAllForwardings .It Compression .It CompressionLevel @@ -639,6 +640,7 @@ .It MACs .It NoHostAuthenticationForLocalhost .It NumberOfPasswordPrompts +.It OpenCommand .It PasswordAuthentication .It Port .It PreferredAuthentications Index: ss...

...s to configure the server to allow StreamLocalForwarding via > > a unique Unix socket on the host, that relays back to the client. > > > > i.e. on the client (named gateway for this example, but will be unique > > once deployed in volume): > > > > /usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o > > ServerAliveCountMax=3 -o ServerAliveInterval=5 -o > > StrictHostKeyChecking=yes -o TCPKeepAlive=yes -o > > StreamLocalBindUnlink=yes -o ExitOnForwardFailure=yes -o BatchMode=yes > > -nN -R /sshvpn/gateway:127.0.0.1:22 -p 52221 sshvpn at host >...