Re: Re: SSH host key rotation – known_hosts file not updated

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Nico Kadel-Garcia wrote:
> And... *THIS* is why so many people disable known_hosts entirely. The
> chance of an IP address being reused for a distinct hostname is pretty
> high in a DHCP environment without reservations, coupled with dynamic
> DNS. It's also very common when servers get rebuilt from images and
> fresh hostkeys generated automatically on the same hardware, even with
> the same IP address. The popular solution is to simply disable
> known_hosts in your ~/.ssh/config as needed:

I mitigate this in two different ways.  For one if servers are getting
rebuilt routinely such as for testing or for scaling-out or just
normal replacement then I always install the same role key for those
servers.  It's a replacement for a previous server?  Then it gets the
same role key as the prior server.

The second thing I do is I build a global ssh_known_hosts with the
known host keys of the dynamic server pool systems.  Since the key is
in the system level ssh_known_hosts then it doesn't get added to user
level known_hosts file.  And the system level file is updated as
needed.

That's not to say that I don't /dev/null host keys in some cases too.
Here if I connect to an IP address then I know it is just a one-off
not to be saved and I discard host keys in that case.

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux