On 14/02/2024 11:42, Chris Green wrote:> Is there any way to remove old entries from the known_hosts file? With
> the hashed 'names' one can't easily see which entries are
which. I
> have around 150 lines in my known hosts but in reality I only ssh to a
> dozen or so systems. All the redundant ones are because I have a
> mixed population of Raspberry Pis and such on my LAN and they get
> rebuilt fairly frequently and thus, each time, get a new entry in
> known_hosts.
>
> As a result I have to set 'PreferredAuthentications password' for
some
> systems because there are *loads* of redundant keys which cause login
> to fail otherwise.
>
Set 'HashKnownHosts no' in /etc/ssh/ssh_config.? This is actually the
default for OpenSSH, but many distro vendors set it to yes because
"it's
more secure, obvs".
Connect to all the machines you need to and delete the lines which
conflict (ssh will tell you the line number). When your known_hosts
seems to contain the hosts you want, delete all the hashed ones. Or
simply start from scratch with an empty known_hosts.
To disable host key checking altogether for certain domains and/or
networks, you can put this in ~/.ssh/config:
host *.lab.example.com 10.11.*
? StrictHostKeyChecking no
? UserKnownHostsFile /dev/null