Re: Mass-updating cached hosts keys afrer ssh security upgrade?
Anno domini 2008 JW scripsit: Hi! > In the past several weeks I have applied the openssh/openssl updates to my > systems - the updates the fix the random-number-generator weakness. > This has turned into an unexpected nightmare: my users have, between them > all, > dozens of cached host keys, and they are nearly unable to work because every > time they turn around they're getting bad-old-cached-key warnings (REMOTE > HOST IDENTIFICATION HAS CHANGED). > I've been trying to go through all the known_hosts files manually and update > them to give my users a break, but it's a tedious nightmare. Adding to the > complexity is that many of the known_hosts files are armored (the hostname/ip > address is not in plain text). > Has anyone come up with a way to read all the cached hosts - all the > ~/.ssh/known_hosts entries on a system (or at least per user) and fix them? > Essentially I need some semi-automated way to fix this since I have many > users's connections to fix still (hundreds if not thousands by the time I do > machines X users X outgoing connections). Others have already pointed to things how to do this. When you have finished the cleaning up, you might be interested in http://rfc2324.org/projects/ssh-keysync Comments welcome. Ciao Max -- Follow the white penguin. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mass-updating cached hosts keys afrer ssh security upgrade?
Hi, On Mon, Jul 21, 2008 at 06:43:31PM -0500, JW wrote: > Has anyone come up with a way to read all the cached hosts - all the > ~/.ssh/known_hosts entries on a system (or at least per user) and fix them? > > Essentially I need some semi-automated way to fix this since I have many > users's connections to fix still (hundreds if not thousands by the time I do > machines X users X outgoing connections). I have written a little script that does this with the help of ssh-keyscan's -R option. (It doesn't work with the sarge version btw. because it didn't have -R.) If you put in your domain at the beginning and the hostnames in the "for x in..." loop it deletes (the probably hashed) lines with hostname.domain, hostname (w/o domain) if the domain is in /etc/resolv.conf and the IP of hostname.domain, if it can be resolved at the time the script runs. I have put the test with /etc/resolve.conf there, so the script can be run by users on computers in other domains, but won't delete lines for host001 there, because the would really be host001.otherdomain and not host001.yourdomain. In any case it makes a backup of the original known_hosts. It maybe is a bit too verbose, maybe some warnings get easily overlooked because of that (e. g. problem resolving hostname.domain -> IP). If you use IPv6 already, you probably need to add some lines for that to the script. It should be similar to the IPv4 case. Greetings, Mike Dornberger delvulnhostkeys.sh Description: Bourne shell script
Re: Mass-updating cached hosts keys afrer ssh security upgrade?
In article <[EMAIL PROTECTED]> you wrote: > I've been trying to go through all the known_hosts files manually and update > them to give my users a break, but it's a tedious nightmare. Adding to the > complexity is that many of the known_hosts files are armored (the hostname/ip > address is not in plain text). What kind of hosts are those? I would add all your machines to all system-known_hosts and then delete the entries from user files. The later can be done with a shell script, and you should ask your users to run it themself. Just consisting of a loop, reading the hosts from /etc/ssh/known_hosts and deleting them via ssh-keygen -R "$host" Greetings Bernd y -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mass-updating cached hosts keys afrer ssh security upgrade?
On Mon, Jul 21, 2008 at 06:43:31PM -0500, JW wrote: This has turned into an unexpected nightmare: my users have, between them all, dozens of cached host keys, and they are nearly unable to work because every time they turn around they're getting bad-old-cached-key warnings (REMOTE HOST IDENTIFICATION HAS CHANGED). I'd suggest investigating using ssh-keyscan to generate a common /etc/ssh/ssh_known_hosts file for all your machines, rather than trying to manage it on a per-user basis. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mass-updating cached hosts keys afrer ssh security upgrade?
ssh-keyscan --On July 21, 2008 6:43:31 PM -0500 JW <[EMAIL PROTECTED]> wrote: Hello, In the past several weeks I have applied the openssh/openssl updates to my systems - the updates the fix the random-number-generator weakness. This has turned into an unexpected nightmare: my users have, between them all, dozens of cached host keys, and they are nearly unable to work because every time they turn around they're getting bad-old-cached-key warnings (REMOTE HOST IDENTIFICATION HAS CHANGED). I've been trying to go through all the known_hosts files manually and update them to give my users a break, but it's a tedious nightmare. Adding to the complexity is that many of the known_hosts files are armored (the hostname/ip address is not in plain text). Has anyone come up with a way to read all the cached hosts - all the ~/.ssh/known_hosts entries on a system (or at least per user) and fix them? Essentially I need some semi-automated way to fix this since I have many users's connections to fix still (hundreds if not thousands by the time I do machines X users X outgoing connections). Thanks, JW -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
