Can we have better ssh fingerprint collision messages?
Jeffrey Bastian
jbastian at redhat.com
Wed Nov 13 21:19:34 UTC 2013
On Wed, Nov 13, 2013 at 01:29:34PM -0500, Przemek Klosowski wrote:
> On 11/12/2013 07:47 AM, Miroslav Suchý wrote:
> > 2) if you know that some machines change fingerprint and you *trust it* you
> > can do:
> >
> > ~/.ssh/config:
> > Host 192.168.1.1
> > UserKnownHostsFile /dev/null
>
>
> It always bugged me that the choice was to either disable or manually edit an
> obscure file, so I was happy to find that you can delete stale entries from
> commandline:
>
> ssh-keygen -R hostname
I work on some lab systems that get kickstarted frequently and thus
change ssh keys quite often, so I wrote the script below to update my
known_hosts file with the new key.
Note that I use the format "hostname,ip-address" so that I don't get two
entries in my known_hosts file (which causes its own set of problems if the
system gets a new IP address due to DHCP changes).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
KNOWN_HOSTS=~/.ssh/known_hosts
NEW_HOST=$1
IP_ADDR=$(host $NEW_HOST | awk '/has address/{print $NF}')
if ! grep -q $NEW_HOST $KNOWN_HOSTS ; then
echo "Could not find $NEW_HOST in $KNOWN_HOSTS"
exit
fi
ssh-keygen -R $NEW_HOST
[ -n "$IP_ADDR" ] && NEW_HOST="$NEW_HOST,$IP_ADDR"
ssh-keyscan $NEW_HOST >> $KNOWN_HOSTS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeff
More information about the devel
mailing list