On 14/02/2024 11:42, Chris Green wrote:
Is there any way to remove old entries from the known_hosts file? With
the hashed 'names' one can't easily see which entries are which. I
have around 150 lines in my known hosts but in reality I only ssh to a
dozen or so systems. All the redundant ones are because I have a
mixed population of Raspberry Pis and such on my LAN and they get
rebuilt fairly frequently and thus, each time, get a new entry in
known_hosts.
As a result I have to set 'PreferredAuthentications password' for some
systems because there are *loads* of redundant keys which cause login
to fail otherwise.
Set 'HashKnownHosts no' in /etc/ssh/ssh_config. This is actually the
default for OpenSSH, but many distro vendors set it to yes because "it's
more secure, obvs".
Connect to all the machines you need to and delete the lines which
conflict (ssh will tell you the line number). When your known_hosts
seems to contain the hosts you want, delete all the hashed ones. Or
simply start from scratch with an empty known_hosts.
To disable host key checking altogether for certain domains and/or
networks, you can put this in ~/.ssh/config:
host *.lab.example.com 10.11.*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev