There are many discussions about this option and most people argue that "it improves security", "it protects you from MiTM attacks/DNS spoofing", etc, but I fail to see how that is true. ssh_config(5)
says that the option
"allows ssh to detect if a host key changed due to DNS spoofing"
but it still seems vague or even misleading, because 1) the option doesn't detect if a "host key has changed" but only if a host's IP has changed, and 2) It doesn't elaborate on what it does when it detects such a thing (for example, does it stop the connection from happening?).
Because of the vagueness of the documentation, other people even seem to believe that CheckHostIP=yes
will not let you connect to a host that has changed its IP (i.e. it has a different IP than the one that is already recorded in known_hosts
) which is totally untrue, at least as far as I can understand through my own tests.
- When I connect with
CheckHostIP=yes
(the default) to a remote server whose host key is already stored inknown_hosts
, but has changed its IP, the connection proceeds normally but I get a warning:
"Permanently added the ECDSA host key for IP address [......]"
Also a new line is appended into known_hosts
, containing the server's host key (which has not changed) and the new IP address (which is different). If the host later changes its IP again and I connect to it with CheckHostIP=yes
, a new line will be appended in known_hosts
, and so on.
- If I connect with
CheckHostIP=no
to a server that has changed its IP address, the connection proceeds (which is what also happens withCheckHostIP=yes
) but this time without a warning, and without appending a new line inknown_hosts
.
So the only difference between yes
and no
seems to be only a simple one-line warning upon connecting, plus the recording of new addresses in known_hosts
every time the host changes its IP (effectively keeping a history record of a server's different IP's through time).
If that's the case then I'm not even sure that CheckHostIP=yes
is better than CheckHostIP=no
, because if the client machine was compromised the attacker would be able to deduce from known_hosts
that 1) The server with the host key X has a dynamic IP, and 2) It has changed its IP address Y times. Obviously it's not much and I doubt the attacker could actually do something with that bit of information, but it is leakage of information that would not happen with CheckHostIP=no
.
I have tried the above with two separate ssh servers that have dynamic IP's (I use a free DDNS service to connect to them).
Can an SSH guru confirm to me that this is all the protection CheckHostIP=yes
offers (a warning that doesn't even ask for user interaction), or correct me if I am terribly wrong about something? Should I just always keep CheckHostIP=no
for connections to servers that I know will be changing their IP's through time?
An "SSH guru" has affirmed your position.
SSH v8.5 (released 2021-03-03) follows through and turns
CheckHostIP
off with this changelog message:If you're still feeling skittish, you can just turn it off for hosts with dynamic IPs.
I personally find it extremely improbable that you're dealing with a threat actor who can
…but somehow you'll be saved by the "Warning: Permanently added host key" message when connecting to a host that shows you that warning every time.