HPE Community
Operating System - HP-UX
1820699 Members
2441 Online
109627 Solutions
New Discussion юеВ

openssh known_hosts list

 
Peter Kielbasiewicz
Frequent Advisor

тАО06-01-2004 04:57 PM

тАО06-01-2004 04:57 PM

openssh known_hosts list

When you connect a host for the first time ssh asks something like
"Host key not found from the list of known hosts. Are you sur you want to continue connecting (yes/no)?"
Most people say yes at this point especially in an intranet environment where ssh is mainly used to avoid plain text password and data transmission.

If a host is re-installed or replaced the stored host keys do not match anymore.
A connection attempt then produces a warning or error message indicating that the host key has changed.

There is an option 'StrictHostkeyChecking' in ssh_config which could be set to yes/no/ask
Unfortunately it does not work as expected.
When set to 'yes' OR 'ask' I get the warning and the connection is declined, there is no asking if set to 'ask'.
When set to 'no' the warning is issued and the connection is accepted .

In no case the old host key is replaced for the new host key. This is always an annoying manual process.

There are two points here:
1. The 'ask' option never asks but always declines.
Is this a bug which has been seen before or is it only a problem of my openssh 3.6.1p1 version on HP-UX 10.20?

2. At least with StrictHostkeyChecking=ask I would expect that the host key gets automatically updated in the known_hosts file.
This is the same as with an initial connection to an unknown host where the user gets prompted an eventually the host key is added to list of known hosts.
Does anybody know a way to get changed host keys updated in known_hosts?
0 Kudos
Reply
2 REPLIES 2
Abdul Rahiman
Esteemed Contributor

тАО06-04-2004 03:39 AM

тАО06-04-2004 03:39 AM

Re: openssh known_hosts list

There used to be a nice perl utility shipped with SSH1 called make-ssh-known-hosts.pl, which would query the entire domain to populate the /etc/ssh/known_hosts file by scanning your network. But, I couldn't find the script in my instllation now.
No unix, no fun
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО06-04-2004 03:51 AM

тАО06-04-2004 03:51 AM

Re: openssh known_hosts list

Peter,

There isn't anyway you can get this file automatically updated for the hosts whose hostkeys have changed.

Default option is 'ask' which is when the StrictHostkeyChecking is commented out. With "Yes", you will need to manually add the HostKeys for the new hosts. With "ask", it will prompt you and then add them. But there isn't one for "replacing" the hostkeys in my view. With "no", it checks the known_hosts file but won't bother much.

While my ssh_config is set to "ask", for my automated script, I specify "StrictHostkeyChecking no" in the command line.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.