On 02/11/2014 03:52 PM, Paul E Condon wrote: > ... Known host checking is done, I think, to defend against 'man in > the middle', so when the known host key changes because of some event > down in the bowels of dynamic dns, does one have any possibility of > determining that it is truly *not* a man-in-the-middle attack? Is > there some method for checking up on dynamic dns changes other than > merely noting the new value and adapting to it? ...
The host key does not change in this case, it's just that with dynamic DNS the same host gets a new IP address. That means that the same key can have multiple entries in known_hosts. known_hosts can get long and unwieldy, filling with ip numbers that will never be used again. In the case where the host key does get changed (system replaced without backing up keys, for example) then StrictHostKeyChecking set to 'yes' or 'ask' shows the fingerprint before adding it to known_hosts. It is also possible to pre-load in advance the user's known_hosts or the system's known host with the appropriate public key. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fa3a23.3040...@gmail.com
