There are many discussions about this option and most people argue that "it improves security", "it protects you from MiTM attacks/DNS spoofing", etc, but I fail to see how that is true. ssh_config(5) says that the option
"allows ssh to detect if a host key changed due to DNS spoofing"
but it still seems vague or even misleading, because 1) the option doesn't detect if a "host key has changed" but only if a host's IP has changed, and 2) It doesn't elaborate on what it does when it detects such a thing (for example, does it stop the connection from happening?).
Because of the vagueness of the documentation, other people even seem to believe that CheckHostIP=yes will not let you connect to a host that has changed its IP (i.e. it has a different IP than the one that is already recorded in known_hosts) which is totally untrue, at least as far as I can understand through my own tests.
- When I connect with
CheckHostIP=yes(the default) to a remote server whose host key is already stored inknown_hosts, but has changed its IP, the connection proceeds normally but I get a warning:
"Permanently added the ECDSA host key for IP address [......]"
Also a new line is appended into known_hosts, containing the server's host key (which has not changed) and the new IP address (which is different). If the host later changes its IP again and I connect to it with CheckHostIP=yes, a new line will be appended in known_hosts, and so on.
- If I connect with
CheckHostIP=noto a server that has changed its IP address, the connection proceeds (which is what also happens withCheckHostIP=yes) but this time without a warning, and without appending a new line inknown_hosts.
So the only difference between yes and no seems to be only a simple one-line warning upon connecting, plus the recording of new addresses in known_hosts every time the host changes its IP (effectively keeping a history record of a server's different IP's through time).
If that's the case then I'm not even sure that CheckHostIP=yes is better than CheckHostIP=no, because if the client machine was compromised the attacker would be able to deduce from known_hosts that 1) The server with the host key X has a dynamic IP, and 2) It has changed its IP address Y times. Obviously it's not much and I doubt the attacker could actually do something with that bit of information, but it is leakage of information that would not happen with CheckHostIP=no.
I have tried the above with two separate ssh servers that have dynamic IP's (I use a free DDNS service to connect to them).
Can an SSH guru confirm to me that this is all the protection CheckHostIP=yes offers (a warning that doesn't even ask for user interaction), or correct me if I am terribly wrong about something? Should I just always keep CheckHostIP=no for connections to servers that I know will be changing their IP's through time?