On Sat, Feb 17, 2024 at 2:58 PM Bob Proulx <bob@xxxxxxxxxx> wrote: > > Brian Candler wrote: > > Chris Green wrote: > > > ... redundant ones are because I have a mixed population of > > > Raspberry Pis and such on my LAN and they get rebuilt fairly > > > frequently and thus, each time, get a new entry in known_hosts. > > ...many useful tips... > > To disable host key checking altogether for certain domains and/or networks, > > you can put this in ~/.ssh/config: > > > > host *.lab.example.com 10.11.* > > StrictHostKeyChecking no > > UserKnownHostsFile /dev/null > > ...many useful tips... > > Additionally I would consider setting up global ssh_known_hosts > containing the ssh host keys for your network. If a key is in the > global file then it won't be added to the local client file. The > global hosts file can be updated as you rebuild your lab machines and > contain a canonical set of host keys for your LAN. I do this. And.... the cycles spent on yak shaving .ssh/known_hosts is why many sites simply disable it. In environments where the exposed IP addresses of rebuilt virtual hosts or proxies may shift without notice, and especially when they may be rebuilt on prevously used IP addresses with old keys stored, maintaining .ssh/known_hosts becomes more likely to disable expected and even mandatory operations than it is to detect and help prevent a replaced host. Frankly, I gave up on it years ago and use something the settings below in /etc/ssh/ssh_config.d/known_hosts.conf Host * StrictHostKeyChecking no UserKnownHostsFile=/dev/null LogLevel=ERROR It can be set more restrictively for your local non-routable VLAN, but in the last 25 years I've seen precisely *zero* cases where .ssh/known_hosts prevented rather than caused problems.I have seen sites pour a lot of time and money and effort into setting up signed host keys, to avoid the IP migration conflict issues, but I'd recommend spending the time and money elsewhere like auditing for SSH private keys without passphrases. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
