search for: userknownhostsfile

Dear OpenSSH developers, Do you find it a good idea if variable substitution is implemented in UserKnownHostsFile the same way it is done for IdentityFile? In ssh_config I would like to write something like UserKnownHostsFile ~/keys/%r/known_hosts Thanks! -- With best regards, Dmitry

Hi Damien/all, Since github etc use a potentially large number of IP addresses (albeit with a small number of keys), I'd like more granular oversight over their entries in my known_hosts. Eg, here is a simplified stanza from my current ssh config: Host github gitlab User git Hostname %h.com UserKnownHostsFile ~/.ssh/known_hosts.d/git There doesn't seem to be a good way to filter only certain hosts from that UserKnownHostsFile. When looking to remove outdated entries, I'd like to be able to tell which IP addresses and keys belonged to, say, GitHub -- at any time in the past. I wondered if you w...

...Otherwise, and assuming a *manageable* (mainly, enumerable) population > of remote sites, I wonder whether this approach might work, too? > > Host??? Perth-47 > ????HostName??????? 172.23.45.47 > ????ProxyJump??????? Perth-GW > ????GlobalKnownHostsFile??? /dev/null > ????UserKnownHostsFile??? ~/.ssh/known-in-Perth > Host??? Adelaide-11 > ????HostName??????? 172.45.67.11 > ????ProxyJump??????? Adelaide-GW > ????GlobalKnownHostsFile??? /dev/null > ????UserKnownHostsFile??? ~/.ssh/known-in-Adelaide > > (Yes, I realize that with target IPs being *potentially dyn...

...0.0/8 in preparation, sslip.io might be helpful. https://sslip.io/ Otherwise, and assuming a *manageable* (mainly, enumerable) population of remote sites, I wonder whether this approach might work, too? Host Perth-47 HostName 172.23.45.47 ProxyJump Perth-GW GlobalKnownHostsFile /dev/null UserKnownHostsFile ~/.ssh/known-in-Perth Host Adelaide-11 HostName 172.45.67.11 ProxyJump Adelaide-GW GlobalKnownHostsFile /dev/null UserKnownHostsFile ~/.ssh/known-in-Adelaide (Yes, I realize that with target IPs being *potentially dynamic* per DHCP, having known hostkeys indexed by site *and IP* might still...

https://bugzilla.mindrot.org/show_bug.cgi?id=2525 Bug ID: 2525 Summary: Please add an alias such as -o Insecure for -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no Product: Portable OpenSSH Version: 6.7p1 Hardware: amd64 OS: Linux Status: NEW Severity: trivial Priority: P5 Component: ssh Assignee: unassig...

Perfect, thanks. This winds up working for me (as far as I've tested so far.) Match exec "ping -q -c 1 -t 1 %n | grep '192\.168\.'" StrictHostKeyChecking no UserKnownHostsFile none On Wed, Aug 26, 2015 at 11:47 PM, Bostjan Skufca <bostjan at a2o.si> wrote: > (+cc list) > > You could use something in the following manner: > > Match originalhost * exec "/check/if/this/hostname/is/on/lan.sh" > ...(lan-specific opts)... > >...

...M, Walter Carlson <wlcrls47 at gmail.com> wrote: > >> Perfect, thanks. This winds up working for me (as far as I've tested so >> far.) >> >> Match exec "ping -q -c 1 -t 1 %n | grep '192\.168\.'" >> StrictHostKeyChecking no >> UserKnownHostsFile none >> > > For the record, the last line has to be "UserKnownHostsFile /dev/null". I > saw "none" being used in others' openssh examples, but for me, that's using > the file ~/none rather than being interpreted as "don't use one". If yo...

...do this - it's a horrible idea, but deciding I want to do it anyway. Tired of having to remove entries from known_hosts with the multiple VM's I have that often change fingerprints, and am willing to live with the risks. /etc/ssh/ssh_config Host 192.168.*.* StrictHostKeyChecking no UserKnownHostsFile /dev/null or UserKnownHostsFile none Isn't doing the trick. With no known_hosts file in ~/.ssh or /etc, I still get: The authenticity of host '<hostname> (192.168.2.2)' can't be established. ECDSA key fingerprint is SHA256:..... Are you sure you want to continue connecti...

...st_rsa # 10.201.18.12:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 $ ssh-keyscan -t ecdsa-sha2-nistp256 10.201.18.12 > known_host_ecdsa # 10.201.18.12:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 # No problems with OpenSSH 8.3p1 $ ssh -V OpenSSH_8.3p1 Debian-1, OpenSSL 1.1.1h 22 Sep 2020 $ ssh -o UserKnownHostsFile=known_host_ecdsa 10.201.18.12 /bin/true $ ssh -o UserKnownHostsFile=known_host_rsa 10.201.18.12 /bin/true $ ssh -o UserKnownHostsFile=known_host_ed25519 10.201.18.12 /bin/true # OpenSSH 8.4p1 gives a host key verification error if the known key is ECDSA $ ./ssh -V OpenSSH_8.4p1, OpenSSL 1.1.1h 2...

On Tue, 29 Sep 2020 at 23:16, Nico Kadel-Garcia <nkadel at gmail.com> wrote: [...] > I gave up on $HOME/.ssh/known_hosts a *long* time ago, because if > servers are DHCP distributed without static IP addresses they can wind > up overlapping IP addresses with mismatched hostkeys You can set CheckHostIP=no in your config. As long as the names don't change it'll do what you

.... By "lighter security" I mean at least, no host key check; we often install and re-install hosts and managing all that public keys is heavy. Then my goal is to have two different configurations when targeting a host: * inside our domain: "StrictHostKeyChecking no" and "UserKnownHostsFile /dev/null". * into the Wild: "StrictHostKeyChecking yes" and "UserKnownHostsFile ~/.ssh/known_hosts". And now my problem: The easiest way to sort target hosts, I thought, was to select our domain in ssh_config: # inside Host *.our_domain parameters # outside Host *...

...> Hostname new-hostname > > Match tagged change-port-and-user > Port 12345 > Tag change-user > > Match tagged change-user > User bilbo > > Match tagged jump-to-mybox > ProxyJump mybox > > Match tagged nocheck > StrictHostKeyChecking false > UserKnownHostsFile /dev/null > > Match tagged frodo-identity > IdentityFile ~/.ssh/id_ed25519_frodo the following parameters can be obtained: > gandalf at mybox $ ssh -P nocheck -P frodo-identity test-host -G | > > grep -E "^(user|hostname|port|strictho stkeychecking|identityfile|` > &gt...

...first instance I can create a SSH connection, and and execute a remote git clone (via SSH), the Agent Forwarding works, and I am not prompted for credentials: ssh vagrant at 127.0.0.1 -p 2222 \ -o Compression=yes \ -o StrictHostKeyChecking=no \ -o LogLevel=FATAL \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ -o IdentitiesOnly=yes \ -i /Users/bryanhunt/.vagrant.d/insecure_private_key \ -o ForwardAgent=yes \ "/bin/sh -c 'git clone git at bitbucket.org:bryan_picsolve/poc_docker.git /home/vagrant/poc_dockera' " Cloning into '/home/vagrant/poc_dockera'... In the secon...

On Sun, 4 Oct 2020, Christoph Anton Mitterer wrote: > On Sun, 2020-10-04 at 14:02 +1100, Damien Miller wrote: > > This is strictly no worse than continuing to use the old key, so I > > don't consider it a problem. > > Well but in reality it will lead to people never again replace their > key by proper means. Well, first I disagree that this method is improper. The

...-------------------------- CC| |dtucker at dtucker.net --- Comment #5 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3426 --> https://bugzilla.mindrot.org/attachment.cgi?id=3426&action=edit expand tokens and env vars in UserKnownHostsFile With some recent work on percent-token expansions it should be relatively easy to add expansions to UserKnownHostsFile, allowing UserKnownHostsFile ~/.ssh/known_hosts.d/%n %n isn't ideal in the presence of a HostKeyAlias, so if this goes in I'd be adding a %k token for that. -- You are...

...---------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #7 from Darren Tucker <dtucker at dtucker.net> --- I've just committed TOKEN expansion support for UserKnownHostsFile and the '%k' TOKEN for the HostKeyAlias. This combination should be an effective way to implement this in the config file should you want it. (In reply to Josh Triplett from comment #2) > Right. For the initial pass, ssh would still always write new keys > to .ssh/known_hosts, and...

...> frequently and thus, each time, get a new entry in known_hosts. > ...many useful tips... > To disable host key checking altogether for certain domains and/or networks, > you can put this in ~/.ssh/config: > > host *.lab.example.com 10.11.* > StrictHostKeyChecking no > UserKnownHostsFile /dev/null > ...many useful tips... Additionally I would consider setting up global ssh_known_hosts containing the ssh host keys for your network. If a key is in the global file then it won't be added to the local client file. The global hosts file can be updated as you rebuild your lab ma...

https://bugzilla.mindrot.org/show_bug.cgi?id=2413 Bug ID: 2413 Summary: Suppress 'Permanently added ... to known hosts' when redirecting to /dev/null Product: Portable OpenSSH Version: 6.8p1 Hardware: 68k OS: Mac OS X Status: NEW Severity: trivial Priority: P5

...OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: jaap at jaapeldering.nl I have the following settings (among others) in my ~/.ssh/config: HashKnownHosts no UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_common UpdateHostKeys ask When I connect to a known host, ssh nicely asks me to store new host keys it learned about, and stores them in ~/.ssh/known_hosts. All fine so far. Now I move these entries to ~/.ssh/known_hosts_common, and next time I connect to th...

As far as I can tell, there currently isn't a straightforward way to use password authentication for connecting to hosts where the host key changes frequently. I realize this is a fairly niche use case, but when developing software for devices that often get reimaged (resulting in a host key change), it can get pretty tedious to attempt to connect, get a warning, remove the old host key via