On 29.09.20 12:44, Damien Miller wrote:> On Tue, 29 Sep 2020, Martin Drescher wrote: > >> Hi list members,[...]> You can however find and delete hosts by name using ssh-keygen.> > To find entries matching a hostname, use "ssh-keygen -F hostname", e.g.The point is, file has over 600 hashes stored.> $ ssh-keygen -lF haru.mindrot.org > # Host haru.mindrot.org found: line 146 > haru.mindrot.org ECDSA SHA256:xjGrsgS6JzMojD3go1qULmh02LG8YpRirOwmoHnT/3M > # Host haru.mindrot.org found: line 165 > haru.mindrot.org RSA SHA256:9nN+SOkKCQq6BLzybAUNlczAU0n+HbOIDxIrBIbPPmU > # Host haru.mindrot.org found: line 166 > haru.mindrot.org ED25519 SHA256:43S30LGUkc2f9dDcLZG6O5KPKtPn7Xw2WkR2vCO/nnU > > (the -l flag tells it to print fingerprints instead of full keys) > > You can also delete entries using "ssh-keygen -R hostname". > > -dAt this point, my best practice would possibly be, to start with an empty known host and build a new one from all hosts in my .ssh/config. How would a 'lasst_seen' column in known_hosts be a nice feature? I'm not sure. -- Martin
> At this point, my best practice would possibly be, to start with an > empty known host and build a new one from all hosts in my .ssh/config.You could move your user-known hosts file to the global location, and empty yours. That way new (and changed) get written to your new file, but the old list is used as a backup. Perhaps that would be a feature request - "also look at this file, and silently migrate to the user's file if identical".> How would a 'lasst_seen' column in known_hosts be a nice feature? I'm > not sure.Not sure about that. Age doesn't tell about validity.
On 29.09.20 13:08, Philipp Marek wrote:> >> At this point, my best practice would possibly be, to start with an >> empty known host and build a new one from all hosts in my .ssh/config. > > You could move your user-known hosts file to the global location, > and empty yours. > That way new (and changed) get written to your new file, but the old > list is used as a backup. > > Perhaps that would be a feature request - "also look at this file, > and silently migrate to the user's file if identical".Never mind, it's easy to run a ssh-keyscan for each host in a .ssh/config. What does not exist in in that config does not exist in real life, too. -- Martin