Re: Re: Re: SSH host key rotation – known_hosts file not updated

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2024-10-17 19:26, Nico Kadel-Garcia wrote:

> > Thank you! Increasing the verbosity revealed a known_hosts entry linked
> > to serverA's IP address (I had forgotten that I had connected to it by
> > IP address at some point). Deleting this entry solved the problem; the
> > new host key was stored in known_hosts when I connected to serverA
> > again.
> >
> > - Jan
> 
> And... *THIS* is why so many people disable known_hosts entirely. The
> chance of an IP address being reused for a distinct hostname is pretty
> high in a DHCP environment without reservations, coupled with dynamic
> DNS. It's also very common when servers get rebuilt from images and
> fresh hostkeys generated automatically on the same hardware, even with
> the same IP address. The popular solution is to simply disable
> known_hosts in your ~/.ssh/config as needed:
> 
>     # Disable known_hosts to avoid IP re-use conflicts
>     Host *
>          UserKnownHostsFile /dev/null
>           StrictHostKeyChecking no
>           LogLevel ERROR

Thanks for the hint. How would I verify a server's identity without
known_hosts / StrictHostKeyChecking?

- Jan

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux