search for: known_host

Hello & thanks for reading. I'm having a problem configuring known_hosts from scripts so an accept key yes/no prompt doesn't appear. I'm using this command to detect if the server is known and add it to known_hosts: if ! ssh-keygen -F ${IP_ADDR} -f ~/.ssh/known_hosts > /dev/null 2>&1; t hen ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hos...

...OS: Linux Status: NEW Severity: trivial Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: jidanni at jidanni.org We observe that aside from the first run below, the message "/home/jidanni/.ssh/known_hosts updated." is incorrect. Using diff(1) we show that the contents remain the same. Therefore in the latter cases, saying "/home/jidanni/.ssh/known_hosts NOT updated." would be better. Nor is there any reason to write a backup. $ ssh-keygen -f "/home/jidanni/.ssh/known_hosts&quot...

...20, Damien Miller wrote: > > > > > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > > > Does your configuration override CheckHostIP at all? > > > > No. > > > > > > > > > > What are the known_hosts entries for the hostname and IP? > > > > > > Also, do you use HashKnownHosts? or do you have any hashed host lines > > > in known_hosts? > > > > Yes I use HashKnownHosts yes > > Thanks - I think that was the missing piece of the puzzle. Can you >...

...: NEW Severity: enhancement Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: s.egbert at sbcglobal.net The command in question discovered in earlier 7.9p1 and also in latest 8.1p1: ssh-keygen -f "~/.ssh/known_hosts" -R "johndoe" Expected output: known_hosts: No such file or directory The actual result output is: mkstemp: No such file or directory `strace -f` shows: openat(AT_FDCWD, "~/.ssh/known_hosts.TgA5TDcI46", O_RDWR|O_CREAT|O_EXCL, 0600) = -1 ENOENT (No such fi...

Hey folks-- When ssh creates a known_hosts file for a user, it disregards the currently-set umask, and can actually turn on mode bits that the user has explicitly masked. While i'm happy to have ssh make files *more* secure than my umask (in situations where that's reasonable, like the creation of new ssh keys, etc), i'm not s...

...leges, immediate termination of employment, and/or prosecution to the fullest extent of the law. Last login: Mon Oct 9 11:00:11 2023 from 10.10.10.62 #]0;user at wrkstn42: ~#user at wrkstn42:~$ exit logout Connection to 10.106.101.142 closed. < user_lamborghini ~/.ssh: > Now I have TWO known_hosts files. known_hosts and known_hosts.old. < user_lamborghini ~/.ssh: > ls -l total 10 -rw-r--r-- 1 user user 221 Mar 18 2012 authorized_keys -rw-r--r-- 1 user user 26 Aug 30 10:12 config -rw-r--r-- 1 user user 302 Sep 7 10:57 env -rw------- 1 user user 792 Oct 9 1...

https://bugzilla.mindrot.org/show_bug.cgi?id=2169 Bug ID: 2169 Summary: command to remove outdated hostkey from known_hosts file wrong Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org...

https://bugzilla.mindrot.org/show_bug.cgi?id=1654 Summary: ~/.ssh/known_hosts.d/* Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: josh at f...

Is there any way to remove old entries from the known_hosts file? With the hashed 'names' one can't easily see which entries are which. I have around 150 lines in my known hosts but in reality I only ssh to a dozen or so systems. All the redundant ones are because I have a mixed population of Raspberry Pis and such on my LAN and they get rebu...

Hey all, I came across a security news article, referenced by http://www.linux.org/news, at http://www.techworld.com/security/news/index.cfm?NewsID=3668 talking about an SSH weakness involving the known_hosts file. I apologize if this issue has already been addressed, but the mailing list archives didn't turn up anything when i tried searching for something relevant. So; not to knee-jerk or anything, but is anyone currently looking into this? Does this need to be addressed, or has it already been t...

Hi, for a test lab, I'm trying to write a small shell script that will eradicate all information regarding a special host from the known_hosts file. Unfortunately, it is quite non-trivial to find out what ssh doesn't like with a host. ssh says which line in known_hosts has the offending key, but ssh-keygen -R doesn't take a line number. Am I using an undocumented interface when I simply use sed to delete the appopriate line? If...

...e, for those of you who don't feel like following the bug URL, is that when one has ssh servers behind a NAT, each of which responds to a different port on the NAT IP, they must all have the same host key to avoid the ssh man-in-the-middle warning about a changed host key. In short, because the known_hosts file is indexed only by name/IP and not port, there is no way to distinguish between servers by port. The discussion in 2002, which led to the bug being closed without a fix, involved how different keys for the same name/IP would affect hostbased authentication. It's been over a year now, an...

Hi guys, I'm working on a project which concern SSH and there is something i don't understand about server authentication. So I explain my problem: - When you authorize only RSA keys in the sshd_config on the server, you need to have the RSA public key of this server in the known_hosts file of the client. This is absolutely normal. - When you authorize only DSA keys in the sshd_config on the server, you need to have the DSA public key of this server in the known_hosts file of the client. This is also absolutely normal. - But when you authorize both RSA and DSA keys, you are ob...

On Sun, 4 Oct 2020, Matthieu Herrb wrote: > Hi, > > on OpenBSD-current I now get this when connecting to an existing > machine for which I have both ecdsa an ed25519 keys in my existing > known_hosts (but apparently ed25519 keys where added only for the name > previsously by ssh): > > Warning: the ED25519 host key for 'freedom' differs from the key for > the IP address '2a03:7220:8081:6101:6552:9ca8:512b:9251' > Offending key for IP in /home/matthieu/.ssh/known_...

Hi folks, maybe I am too blind to see, but would it be possible to avoid extra entries in known_hosts, if the remote host has a signed public key matching a @cert-authority line? Something like Host * HashKnownHosts unsigned This could help to keep the known_hosts file small and yet get all the unsigned public keys in. Just a suggestion, of course. Regards Harri

The .ssh/known_hosts table cannot handle reaching different sshd servers behind a NAT router. The machines are selected by having the SSHDs respond to differnt ports. A second request would be to allow known_hosts checking solely on the dns name, wildcarding the IP address. This would be useful to avoid continuously...

Brian Candler wrote: > Chris Green wrote: > > ... redundant ones are because I have a mixed population of > > Raspberry Pis and such on my LAN and they get rebuilt fairly > > frequently and thus, each time, get a new entry in known_hosts. > ...many useful tips... > To disable host key checking altogether for certain domains and/or networks, > you can put this in ~/.ssh/config: > > host *.lab.example.com 10.11.* > StrictHostKeyChecking no > UserKnownHostsFile /dev/null > ...many useful tips... Additiona...

On Wed, 5 Feb 2020, Phil Pennock wrote: > On 2020-02-06 at 10:29 +1100, Damien Miller wrote: > > * sshd(8): allow the UpdateHostKeys feature to function when > > multiple known_hosts files are in use. When updating host keys, > > ssh will now search subsequent known_hosts files, but will add > > updated host keys to the first specified file only. bz2738 > > In testing this, when the impact is to _remove_ a known_hosts entry then > all the existing e...

...ng. I'm thinking this could be some byte swapping issue because this box is running Solaris 2.6. This Solaris box is using the EGD script for its random stuff, if that makes a difference. Anyone have any ideas on where to start looking ? I'm willing to chase it down. I tried modifing the known_hosts file as the warning suggests to no avail. Heres the output of what I'm seeing: The authenticity of host 'xxx.somewhere.net' can't be established. Key fingerprint is 1024 28:b0:37:af:d4:ec:09:1f:fb:4f:5e:47:e8:fb:b1:c8. Are you sure you want to continue connecting (yes/no)? ye...

...serKnownHostsFile and the '%k' TOKEN for the HostKeyAlias. This combination should be an effective way to implement this in the config file should you want it. (In reply to Josh Triplett from comment #2) > Right. For the initial pass, ssh would still always write new keys > to .ssh/known_hosts, and only *read* from known_hosts.d; the user > would manually split entries out into files in that directory. Any > change to automatically write out split files could come later. Since UserKnownHostsFile takes multiple args but only writes to the first, you can now implement those semant...