On 20140212_152909, Lars Noodén wrote: > On 02/12/2014 02:59 PM, Brian wrote: > > On Tue 11 Feb 2014 at 15:22:26 +0200, Lars Noodén wrote: > > > >> ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to > >> check known_hosts. For me, ssh-keygen -R does not remove all the > >> dynamically generated host keys, however. I've not yet identified what > >> confounds ssh-keygen. > > > > The -F option should tell you what is in known_hosts; the hostname can > > be a name or an IP address. If > > > > ssh <name> > > > > is used two lines are entered into known_hosts and two invocations with > > 'ssh-keygen -R' are needed to clear the file. With > > > > ssh <IP address> > > > > only one line is produced. > > Running 'ssh-keygen -R' multiple times was one of the things I tried > early on. 'ssh-keygen -F' finds nothing, but grep for the hostname > finds one entry, and then the same key is found many times with > different ip addresses. With the dynamic hostnames is that known_host > appears to accumulate only one entry with the hostname and then uses the > ip address alone for subsequent encounters of the same key. > > > Could this explain your observation? > > On this question, it appears that port plays a role. If the default > port is used, then -F and -R find the hostname. If a non-standard port > is used, then that has to be included in the search query. > > ssh-keygen -F foobar.example.com > ssh-keygen -F [foobar.example.com]:1234 > > So -F and -R get only specific host+port combinations, not all keys. > > Regards, > /Lars >
Lars, Thanks for the new observations on ssh behavior. I would never have suspected such complexity from what I know of the standard description of ssh. Live and learn. Question: Suppose I encounter this situation of the 'known host' having moved to a different IP address (or a different URL?), is there a way to discover whether the change is due to a proper functioning DynDNS, or to a somewhat unstealthy man-in-the-middle operation? Both are low probability events for almost every user, whatever their station in life, so thinking about assessing the odds doesn't give much help. -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140212173433.ga32...@big.lan.gnu
