Re: SSH & xauth

[provos () CITI UMICH EDU (Niels Provos)]

Hi Robert,

This thread was about how default configurations can have negative
impact on security. You mention the CheckHostIP option in OpenSSH.
CheckHostIP defaults to 'yes'.  It introduces only additional checks
and has not influence on permitting an SSH session to proceed. Thus it
has no negative impact on your system security.

I do not agree with your assumption that most SSH servers use dynamic
IP addresses.  I believe that for the majority of users the contrary
is true.  However, if you are in an environment with dynamic IP
addresses, you can turn the CheckHostIP option off.

In message <Pine.NEB.3.96L.1000225211428.18984A-100000 () fledge watson org>, Robe
rt Watson writes:
> You can even imagine DNS-based spoofing causing some problems, if combined
> with IP spoofing, as ssh-by-ip to a spoofed host would not generate an
> unknown key warning, instead, it would connect with full trust.  This
> attack is a little of a stretch on convenience for the attacker, but is
> feasible.
This is not true.  If you did not authorize a (canonical hostname,
public key) binding [by inserting it into OpenSSH's knownhosts file],
you will always get a warning.  Please verify your facts before you
post.

If you have questions about OpenSSH in the future, you can reach us at
openssh () openssh com.

Greetings,
 Niels.