Mailing List Archive

On 14/02/2024 11:42, Chris Green wrote:
> Is there any way to remove old entries from the known_hosts file? With
> the hashed 'names' one can't easily see which entries are which. I
> have around 150 lines in my known hosts but in reality I only ssh to a
> dozen or so systems. All the redundant ones are because I have a
> mixed population of Raspberry Pis and such on my LAN and they get
> rebuilt fairly frequently and thus, each time, get a new entry in
> known_hosts.
>
> As a result I have to set 'PreferredAuthentications password' for some
> systems because there are *loads* of redundant keys which cause login
> to fail otherwise.
>
Set 'HashKnownHosts no' in /etc/ssh/ssh_config.  This is actually the
default for OpenSSH, but many distro vendors set it to yes because "it's
more secure, obvs".

Connect to all the machines you need to and delete the lines which
conflict (ssh will tell you the line number). When your known_hosts
seems to contain the hosts you want, delete all the hashed ones. Or
simply start from scratch with an empty known_hosts.

To disable host key checking altogether for certain domains and/or
networks, you can put this in ~/.ssh/config:

host *.lab.example.com 10.11.*
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 14 Feb 2024 at 22:52, Chris Green <cl@isbd.net> wrote:
> Is there any way to remove old entries from the known_hosts file? With
> the hashed 'names' one can't easily see which entries are which.

ssh-keygen -R. From the man page:

-R hostname | [hostname]:port
Removes all keys belonging to the specified hostname (with op-
tional port number) from a known_hosts file. This option is use-
ful to delete hashed hosts (see the -H option above).

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Thu, Feb 15, 2024 at 12:06:55AM +1100, Darren Tucker wrote:
> On Wed, 14 Feb 2024 at 22:52, Chris Green <cl@isbd.net> wrote:
> > Is there any way to remove old entries from the known_hosts file? With
> > the hashed 'names' one can't easily see which entries are which.
>
> ssh-keygen -R. From the man page:
>
> -R hostname | [hostname]:port
> Removes all keys belonging to the specified hostname (with op-
> tional port number) from a known_hosts file. This option is use-
> ful to delete hashed hosts (see the -H option above).
>
Yes, thank you.

--
Chris Green
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Brian Candler wrote:
> Chris Green wrote:
> > ... redundant ones are because I have a mixed population of
> > Raspberry Pis and such on my LAN and they get rebuilt fairly
> > frequently and thus, each time, get a new entry in known_hosts.
> ...many useful tips...
> To disable host key checking altogether for certain domains and/or networks,
> you can put this in ~/.ssh/config:
>
> host *.lab.example.com 10.11.*
> StrictHostKeyChecking no
> UserKnownHostsFile /dev/null
> ...many useful tips...

Additionally I would consider setting up global ssh_known_hosts
containing the ssh host keys for your network. If a key is in the
global file then it won't be added to the local client file. The
global hosts file can be updated as you rebuild your lab machines and
contain a canonical set of host keys for your LAN. I do this.

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Brian Candler wrote:
> Chris Green wrote:
> > ... redundant ones are because I have a mixed population of
> > Raspberry Pis and such on my LAN and they get rebuilt fairly
> > frequently and thus, each time, get a new entry in known_hosts.
> ...many useful tips...
> To disable host key checking altogether for certain domains and/or networks,
> you can put this in ~/.ssh/config:
>
> host *.lab.example.com 10.11.*
> StrictHostKeyChecking no
> UserKnownHostsFile /dev/null
> ...many useful tips...

Additionally I would consider setting up global ssh_known_hosts
containing the ssh host keys for your network. If a key is in the
global file then it won't be added to the local client file. The
global hosts file can be updated as you rebuild your lab machines and
contain a canonical set of host keys for your LAN. I do this.

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Sat, Feb 17, 2024 at 2:58?PM Bob Proulx <bob@proulx.com> wrote:
>
> Brian Candler wrote:
> > Chris Green wrote:
> > > ... redundant ones are because I have a mixed population of
> > > Raspberry Pis and such on my LAN and they get rebuilt fairly
> > > frequently and thus, each time, get a new entry in known_hosts.
> > ...many useful tips...
> > To disable host key checking altogether for certain domains and/or networks,
> > you can put this in ~/.ssh/config:
> >
> > host *.lab.example.com 10.11.*
> > StrictHostKeyChecking no
> > UserKnownHostsFile /dev/null
> > ...many useful tips...
>
> Additionally I would consider setting up global ssh_known_hosts
> containing the ssh host keys for your network. If a key is in the
> global file then it won't be added to the local client file. The
> global hosts file can be updated as you rebuild your lab machines and
> contain a canonical set of host keys for your LAN. I do this.

And.... the cycles spent on yak shaving .ssh/known_hosts is why many
sites simply disable it. In environments where the exposed IP
addresses of rebuilt virtual hosts or proxies may shift without
notice, and especially when they may be rebuilt on prevously used IP
addresses with old keys stored, maintaining .ssh/known_hosts becomes
more likely to disable expected and even mandatory operations than it
is to detect and help prevent a replaced host. Frankly, I gave up on
it years ago and use something the settings below in
/etc/ssh/ssh_config.d/known_hosts.conf

Host *
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
LogLevel=ERROR

It can be set more restrictively for your local non-routable VLAN, but
in the last 25 years I've seen precisely *zero* cases where
.ssh/known_hosts prevented rather than caused problems.I have seen
sites pour a lot of time and money and effort into setting up signed
host keys, to avoid the IP migration conflict issues, but I'd
recommend spending the time and money elsewhere like auditing for SSH
private keys without passphrases.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev