Currently I am populating a global ssh_known_hosts file with RSA and DSS host keys.
short_name, fqdn, 192.168.x.y ssh-dss.........
short_name, fqdn, 192.168.x.y ssh-rsa.........
Some users don't use the fqdn of a server to logon via ssh as the servers also possess CNAMEs according to their function.
So the user has to maintain his or her own known_hosts file which is error prone.
For example if a server becomes obsolete and the CNAME points to a different server, the user gets informed about possible man-in-the-middle attack and host keys change.
If this happens regularily, the user may just ignore this message and the additional protection vanishes.
Is there a way that ssh only uses the ip address to check the hosts key? Ultimatively strict host key checking should be enabled.
The DNS server is a Windows server that does not support storing the host keys. I have no access to the zones and may not transfer them. So I cannot dig out all CNAMEs for a server and use them in the ssh_known_hosts file.