openssh unix dev - Feb 2024 - How to remove old entries from known_hosts?

Is there any way to remove old entries from the known_hosts file? With
the hashed 'names' one can't easily see which entries are which.  I
have around 150 lines in my known hosts but in reality I only ssh to a
dozen or so systems.  All the redundant ones are because I have a
mixed population of Raspberry Pis and such on my LAN and they get
rebuilt fairly frequently and thus, each time, get a new entry in
known_hosts.

As a result I have to set 'PreferredAuthentications password' for some
systems because there are *loads* of redundant keys which cause login
to fail otherwise.

-- 
Chris Green

On 14/02/2024 11:42, Chris Green wrote:
> Is there any way to remove old entries from the known_hosts file? With
> the hashed 'names' one can't easily see which entries are
which.  I
> have around 150 lines in my known hosts but in reality I only ssh to a
> dozen or so systems.  All the redundant ones are because I have a
> mixed population of Raspberry Pis and such on my LAN and they get
> rebuilt fairly frequently and thus, each time, get a new entry in
> known_hosts.
>
> As a result I have to set 'PreferredAuthentications password' for
some
> systems because there are *loads* of redundant keys which cause login
> to fail otherwise.
>
Set 'HashKnownHosts no' in /etc/ssh/ssh_config.? This is actually the 
default for OpenSSH, but many distro vendors set it to yes because
"it's
more secure, obvs".

Connect to all the machines you need to and delete the lines which 
conflict (ssh will tell you the line number). When your known_hosts 
seems to contain the hosts you want, delete all the hashed ones. Or 
simply start from scratch with an empty known_hosts.

To disable host key checking altogether for certain domains and/or 
networks, you can put this in ~/.ssh/config:

host *.lab.example.com 10.11.*
 ? StrictHostKeyChecking no
 ? UserKnownHostsFile /dev/null

On Wed, 14 Feb 2024 at 22:52, Chris Green <cl at isbd.net>
wrote:
> Is there any way to remove old entries from the known_hosts file? With
> the hashed 'names' one can't easily see which entries are
which.
ssh-keygen -R.  From the man page:

     -R hostname | [hostname]:port
             Removes all keys belonging to the specified hostname (with op-
             tional port number) from a known_hosts file.  This option is use-
             ful to delete hashed hosts (see the -H option above).

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.