Can we have better ssh fingerprint collision messages?
Mateusz Marzantowicz
mmarzantowicz at osdf.com.pl
Wed Nov 13 23:11:02 UTC 2013
On 13.11.2013 22:19, Jeffrey Bastian wrote:
> On Wed, Nov 13, 2013 at 01:29:34PM -0500, Przemek Klosowski wrote:
>> On 11/12/2013 07:47 AM, Miroslav Suchý wrote:
>>> 2) if you know that some machines change fingerprint and you *trust it* you
>>> can do:
>>>
>>> ~/.ssh/config:
>>> Host 192.168.1.1
>>> UserKnownHostsFile /dev/null
>>
>>
>> It always bugged me that the choice was to either disable or manually edit an
>> obscure file, so I was happy to find that you can delete stale entries from
>> commandline:
>>
>> ssh-keygen -R hostname
>
>
> I work on some lab systems that get kickstarted frequently and thus
> change ssh keys quite often, so I wrote the script below to update my
> known_hosts file with the new key.
>
> Note that I use the format "hostname,ip-address" so that I don't get two
> entries in my known_hosts file (which causes its own set of problems if the
> system gets a new IP address due to DHCP changes).
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> #!/bin/sh
>
> KNOWN_HOSTS=~/.ssh/known_hosts
> NEW_HOST=$1
> IP_ADDR=$(host $NEW_HOST | awk '/has address/{print $NF}')
>
> if ! grep -q $NEW_HOST $KNOWN_HOSTS ; then
> echo "Could not find $NEW_HOST in $KNOWN_HOSTS"
> exit
> fi
> ssh-keygen -R $NEW_HOST
> [ -n "$IP_ADDR" ] && NEW_HOST="$NEW_HOST,$IP_ADDR"
> ssh-keyscan $NEW_HOST >> $KNOWN_HOSTS
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Jeff
>
You can also manage host keys and fingerprints using FreeIPA.
known_hosts file is managed for all machines added to directory.
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/host-keys.html
Mateusz Marzantowicz
More information about the devel
mailing list