diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-10-08 00:31:05 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-10-08 12:28:06 +1100 |
commit | 3205eaa3f8883a34fa4559ddef6c90d1067c5cce (patch) | |
tree | f00771f63b9140736f5184100930e8114a27c59b | |
parent | e8dfca9bfeff05de87160407fb3e6a5717fa3dcb (diff) |
upstream: clarify conditions for UpdateHostkeys
OpenBSD-Commit-ID: 9cba714cf6aeed769f998ccbe8c483077a618e27
-rw-r--r-- | ssh_config.5 | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 2f1886a1..8e427765 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.335 2020/10/07 02:18:45 djm Exp $ -.Dd $Mdocdate: October 7 2020 $ +.\" $OpenBSD: ssh_config.5,v 1.336 2020/10/08 00:31:05 djm Exp $ +.Dd $Mdocdate: October 8 2020 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1717,8 +1717,14 @@ or This option allows learning alternate hostkeys for a server and supports graceful key rotation by allowing a server to send replacement public keys before old ones are removed. +.Pp Additional hostkeys are only accepted if the key used to authenticate the -host was already trusted or explicitly accepted by the user. +host was already trusted or explicitly accepted by the user, the host was +authenticated via +.Cm UserKnownHostsFile +(i.e. not +.Cm GlobalKnownHostsFile ) +and the host was authenticated using a plain key and not a certificate. .Pp .Cm UpdateHostKeys is enabled by default if the user has not overridden the default |