Hi Robert, This thread was about how default configurations can have negative impact on security. You mention the CheckHostIP option in OpenSSH. CheckHostIP defaults to 'yes'. It introduces only additional checks and has not influence on permitting an SSH session to proceed. Thus it has no negative impact on your system security. I do not agree with your assumption that most SSH servers use dynamic IP addresses. I believe that for the majority of users the contrary is true. However, if you are in an environment with dynamic IP addresses, you can turn the CheckHostIP option off. In message <Pine.NEB.3.96L.1000225211428.18984A-100000at_private>, Robe rt Watson writes: >You can even imagine DNS-based spoofing causing some problems, if combined >with IP spoofing, as ssh-by-ip to a spoofed host would not generate an >unknown key warning, instead, it would connect with full trust. This >attack is a little of a stretch on convenience for the attacker, but is >feasible. This is not true. If you did not authorize a (canonical hostname, public key) binding [by inserting it into OpenSSH's knownhosts file], you will always get a warning. Please verify your facts before you post. If you have questions about OpenSSH in the future, you can reach us at opensshat_private Greetings, Niels.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:10 PDT