Re: prompt to update a host key

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 03/15/2019 12:49 AM, Jeremy Lin wrote:
> [...] connecting to hosts where the host key
> changes frequently. I realize this is a fairly niche use case [...]

Imagine sysadminning a boatload of VMs getting IPs from a dynamic pool, a la

$ for ADDR in $CUSTOMER_1_RANGE $CUSTOMER_2_RANGE... ; do
> ping -c 1 -w 2 $ADDR >/dev/null 2>&1 && ssh root@$ADDR do_urgent_fix
> done

, and it mightn't be that much of a niche anymore ...

> [...] developing software for devices that often get reimaged
> (resulting in a host key change) [...]

If the host keypair(s) are truly useless for identifying a *single*,
short-lived target host, my suggestion would be to include "global"
keypairs into the image (and have them still replaced once in a while).
That would at least protect clients from a fake host set up by someone
who doesn't have access to the image or the legit hosts. (Or from
accidentally shredding a genuine "permanent" system that somehow
obtained the DNS name / IP of a short-lived one.)

If, however, reimaging is a standardized process that might allow the
new host pubkey(s) to be collected and distributed in one fell swoop,
there's the GlobalKnownHostsFile setting which is *supposed* to point to
a file maintained by the *sysadmins* ...

Regards,
-- 
Jochen Bern
Systemingenieur

www.binect.de
www.facebook.de/binect

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux