Can we have better ssh fingerprint collision messages?

Jeffrey Bastian jbastian at
Wed Nov 13 21:19:34 UTC 2013

On Wed, Nov 13, 2013 at 01:29:34PM -0500, Przemek Klosowski wrote:
> On 11/12/2013 07:47 AM, Miroslav Suchý wrote:
> >   2) if you know that some machines change fingerprint and you *trust it* you
> >   can do:
> >
> >   ~/.ssh/config:
> >   Host
> >       UserKnownHostsFile /dev/null
> It always bugged me that the choice was to either disable or manually edit an
> obscure file, so I was happy to find that you can delete stale entries from
> commandline:
> ssh-keygen -R hostname

I work on some lab systems that get kickstarted frequently and thus
change ssh keys quite often, so I wrote the script below to update my
known_hosts file with the new key.

Note that I use the format "hostname,ip-address" so that I don't get two
entries in my known_hosts file (which causes its own set of problems if the
system gets a new IP address due to DHCP changes).


IP_ADDR=$(host $NEW_HOST | awk '/has address/{print $NF}')

if ! grep -q $NEW_HOST $KNOWN_HOSTS ; then
        echo "Could not find $NEW_HOST in $KNOWN_HOSTS"
ssh-keygen -R $NEW_HOST
ssh-keyscan $NEW_HOST >> $KNOWN_HOSTS


More information about the devel mailing list