13

What are the actual security implications of setting CheckHostIP no in SSH client configuration?

There are some discussions about this (eg. https://askubuntu.com/a/48339) and recommendations to set it to yes for extra security (eg. https://security.stackexchange.com/a/8479, https://serverfault.com/a/193634), but some people also say it doesn't really matter for security (https://unix.stackexchange.com/a/285551).

What kinds of attacks are possible with CheckHostIP no that are prevented/detected with CheckHostIP yes?

Afterthought: does CheckHostIP no mean that the SSH key of the target host is not checked at all? If so, how do I securely connect to a machine with dynamic IP address?

oliver
  • 541
  • 4
  • 10

1 Answers1

7

CheckHostIP no means that ssh does not check the host IP address in the known_hosts file. So only if CheckHostIP is set to no a DNS server can return a different IP address as written in the known_hosts file without a warning of the ssh client.

For example an entry in a (unhashed) known_hosts file could be:

www.example.org,1.2.3.4 ssh-rsa AAAA...njvPw==

If CheckHostIP is set to no a DNS server can return an different IP as 1.2.3.4 as address for www.example.org. But the SSH key is still checked. CheckHostIP no means only to expect that the IP is variable and to let key-checking against the hostname.

Therefore if (1) CheckHostIP is set to no and (2) an attacker can control the DNS and (3) has your private key he can setup a server which will first appear like the original one. That can be bad for confidentiality. Think about a backup server. But already if the preconditions 2+3 are met a attacker is able to compromise your system. With CheckHostIP no only more further attacks are possible.

40F4
  • 932
  • 6
  • 16