openssh unix dev - Oct 2016 - Feature Request: Make ssh-keygen -R accepts Host aliases from .ssh/config

Hello,

This is my first feature request, so I am a little unfamilar with OpenSSH
dev.  I have used OpenSSH for a number of years, and am familar with a few
of its advanced features.

I make pretty good use of the ssh_config (normally ~/.ssh/config) file for
a few different reasons. This allows me to create entries like this:

Host myvm
Hostname vm-5.testlab.example.com
User root
ForwardX11Trusted yes


Now "myvm" is an alias to vm-5.testlab.example.com and tells SSH to
login
with root (and what ever other options you specify). So instead of having
to type:

ssh -Y root at vm-5.testlab.example.com


I can just type:

ssh myvm.


This alias works with other tools like scp,sftp,etc.

One annoying thing I found when working with hosts that get reinstalled
regularly is I occasionally want to delete there known_host entires. I have
been using ssh-keygen -R to do this. However, the -R does not accept this
config file aliases. So I can just type:

ssh-keygen -R myvm

I have to type:

ssh-keygen -R  vm-5.testlab.example.com


Is there a technical reason for this? Is there a reason ssh-keygen can't do
a lookup in the config file for host alias to get the full hostname?

I wanted to send this email, before filling a feature request to get some
feedback.

Thanks,
--Perry

On 10/18/2016 04:06 PM, Perry Gagne wrote:
> One annoying thing I found when working with hosts that get reinstalled
> regularly is I occasionally want to delete there known_host entires. I have
> been using ssh-keygen -R to do this. However, the -R does not accept this
> config file aliases. So I can just type:
>
> ssh-keygen -R myvm
>
> I have to type:
>
> ssh-keygen -R  vm-5.testlab.example.com
>
>
> Is there a technical reason for this? Is there a reason ssh-keygen
can't do
> a lookup in the config file for host alias to get the full hostname?
The ssh-keygen is not reading client configuration (~/.ssh/config) and 
therefore it does not have any idea what are the aliases defined there. 
The aliases are not stored in the known hosts file either so we would 
not be able to progress without the configuration file (which is not 
needed for anything else).

In all other tools it works, because they use internally the ssh client 
with its configuration. But ssh-keygen is standalone tool which should 
not depend on any configuration files, afaik.

Regards,

-- 
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat

> One annoying thing I found when working with hosts that get reinstalled
> regularly is I occasionally want to delete there known_host entires. I have
> been using ssh-keygen -R to do this.
alternative solution: use host certificates rather than host keys.

* you distribute a single ca pubkey rather than a hostkey for every host.
* you'll _never_ see a "do you accept this host key" message if
you're
connecting to a host with a correct host cert.