I have a server with dedicated IP address A
and a server with dynamic IP address B
(routing via no-ip.org). A uploads a backup to B via sshpass:
export SSHPASS=***
sshpass -e sftp **@** << !
[..]
put [..]
bye
!
Every time now on (A) following happens:
Warning: Permanently added the ECDSA host key for IP address '[...]' to the list of known hosts.
I have some feeling that this might be not a safe method to transfer the backup data (tar file). Is it possible for someone to intercept the backup?
Also, shouldn’t I remove the IP from the list of known hosts again afterwards? The backup is run every day. Sounds like a long list of known hosts that are just dynamic!
This warning message is not indicating a security risk, because it has already verified that the host key send by the server matches the known host key for the host name you are connecting to. (I'd actually say the word
Warning
should have been left out of this particular message.)You could clean up those dynamically added IP + host key pairs from the list of known hosts. But they are not really hurting, and should you ever need to ssh to the host by IP address rather than by hostname it is convenient to have the entry already in the known hosts file.
If you connect to multiple different hosts with dynamic IP, you may eventually run into a case where one host receives an IP address for which
ssh
previously recorded a different host key. In this case you will get an error, and you will need to remove the obsolete IP + host key pair. (The pair to be removed gets a bit harder to identify, if you are hashing the lines in the known hosts file.)One thing you can do to improve security is to use key based authentication instead of password based authentication. Not only is a key harder to guess than a password, it is also harder to perform a mitm attack due to the key actually being used to sign a session id which is guaranteed to mismatch in case of a mitm attack.
The "warning" only indicates that host IP address has changed, what you are expecting to happen.
The OpenSSH client checks for IP change to give you "DNS spoofing hint" when host key changes. As in your case the host key is correct, the warning is pointless as @kasperd explains.
Actually, as you are expecting the IP change, you can turn off
CheckHostIP
to avoid the warning:Had the host key changed, you would get a warning nevertheless.