Gobal ssh:known_hosts and DNS CNAMEs
 

Currently I am populating a global ssh_known_hosts file with RSA and DSS host keys.

Some users don't use the fqdn of a server to logon via ssh as the servers also possess CNAMEs according to their function.

So the user has to maintain his or her own known_hosts file which is error prone.

For example if a server becomes obsolete and the CNAME points to a different server, the user gets informed about possible man-in-the-middle attack and host keys change.

If this happens regularily, the user may just ignore this message and the additional protection vanishes.

Is there a way that ssh only uses the ip address to check the hosts key? Ultimatively strict host key checking should be enabled.

The DNS server is a Windows server that does not support storing the host keys. I have no access to the zones and may not transfer them. So I cannot dig out all CNAMEs for a server and use them in the ssh_known_hosts file.

I think what you face is a feature. When the CNAME points to a different server it should warn the user of course. You want to disable this?

What you can do, is to supply a global ssh_config file, where you map arbitrary names to real hostnames. So at least some of the CNAMEs would be replaced by another (real) hostname by such an entry, and they work more like abbreviations.