known_hosts, same hostname, different ip address

aristosv · 09-27-2016, 11:31 PM

When a client connects to a server using SSH and authentication keys, the "authorized_keys" file is used to authenticate the user and the "known_hosts" file is used to authenticate the server.

In my scenario, the server will always have the same hostname, but there's a chance that its IP Address will change. So the IP Address won't match the IP Address of the "known_hosts" file on the client.

My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?

The OS is Debian 8, on client and server.

SAbhi · 09-28-2016, 02:26 AM

well it wont be on the known hosts so it will ask for confirmation.

rtmistler · 09-28-2016, 10:24 AM

Quote:

Originally Posted by aristosv

My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?

One thing to do is to read the manual page on ssh. It discusses how hosts are identified and authenticated. It actually implies that the ssh key is one of the main validation points and thus IP spoofing or simple IP address changes are something that it understands and recognizes. In the event of IP address spoofing, the key will not exist at the spoofing side so the session will fail. For IP address changes, the key will exist on both sides so authentication should still pass.

So I'm not sure it will ask if the host is trusted since they already do have a key. known_hosts is not a file containing hostname and address, both of those are not found in that file and instead ssh keys are found in that file.

rknichols · 09-28-2016, 01:13 PM

Quote:

Originally Posted by aristosv

My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?

It shouldn't be a problem. I have a laptop that gets a different IP address on my network depending on whether I'm using a wireless or wired connection. I've never had an issue with the one host key not being accepted.

IsaacKuo · 09-28-2016, 02:29 PM

Quote:

Originally Posted by aristosv

In my scenario, the server will always have the same hostname, but there's a chance that its IP Address will change. So the IP Address won't match the IP Address of the "known_hosts" file on the client.

My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?

It will not ask any questions if the hostname used to connect is the same - in other words, you're connecting with something like "ssh myserver.flibby.org" rather than "ssh 24.25.200.57". It will, however, give a warning that looks something like this if the IP address has changed to something that was never connected to before:

Code:

Warning: Permanently added the ECDSA host key for IP address '24.25.200.57' to the list of known hosts.

It does not require pressing any key or anything to continue past this warning, and if you're the end user you might not even notice the warning. But it's there.

HOWEVER, if this "new" IP address is coincidentally the IP address of a computer which the user has, in the past, connected to, it will likely throw a big warning of a possible man-in-the-middle attack. That is, unless the previous computer had the same public key (i.e. it was the same computer last time).