Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When a client connects to a server using SSH and authentication keys, the "authorized_keys" file is used to authenticate the user and the "known_hosts" file is used to authenticate the server.
In my scenario, the server will always have the same hostname, but there's a chance that its IP Address will change. So the IP Address won't match the IP Address of the "known_hosts" file on the client.
My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?
My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?
One thing to do is to read the manual page on ssh. It discusses how hosts are identified and authenticated. It actually implies that the ssh key is one of the main validation points and thus IP spoofing or simple IP address changes are something that it understands and recognizes. In the event of IP address spoofing, the key will not exist at the spoofing side so the session will fail. For IP address changes, the key will exist on both sides so authentication should still pass.
So I'm not sure it will ask if the host is trusted since they already do have a key. known_hosts is not a file containing hostname and address, both of those are not found in that file and instead ssh keys are found in that file.
My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?
It shouldn't be a problem. I have a laptop that gets a different IP address on my network depending on whether I'm using a wireless or wired connection. I've never had an issue with the one host key not being accepted.
In my scenario, the server will always have the same hostname, but there's a chance that its IP Address will change. So the IP Address won't match the IP Address of the "known_hosts" file on the client.
My question is: will the client ask if I trust the server I'm connecting on? And someone will have to type "yes"? Or since the hostname remains the same, it will be able to connect without asking any questions?
It will not ask any questions if the hostname used to connect is the same - in other words, you're connecting with something like "ssh myserver.flibby.org" rather than "ssh 24.25.200.57". It will, however, give a warning that looks something like this if the IP address has changed to something that was never connected to before:
Code:
Warning: Permanently added the ECDSA host key for IP address '24.25.200.57' to the list of known hosts.
It does not require pressing any key or anything to continue past this warning, and if you're the end user you might not even notice the warning. But it's there.
HOWEVER, if this "new" IP address is coincidentally the IP address of a computer which the user has, in the past, connected to, it will likely throw a big warning of a possible man-in-the-middle attack. That is, unless the previous computer had the same public key (i.e. it was the same computer last time).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.