Re: ssh host ip/id management for dynamic dns servers [OT?]
On Tue 11 Feb 2014 at 06:52:10 -0700, Paul E Condon wrote: I'm puzzled about the apparent 'security theater' on this topic. Known host checking is done, I think, to defend against 'man in the middle', so when the known host key changes because of some event down in the bowels of dynamic dns, does one have any possibility of determining that it is truly *not* a man-in-the-middle attack? Is there some method for checking up on dynamic dns changes other than merely noting the new value and adapting to it? The IP address of the machine may change but its fingerprint doesn't. So you check that. Some people use 'VisualHostKey yes' as a memory aid. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/12022014130038.4f3b3bd04...@desktop.copernicus.demon.co.uk
Re: ssh host ip/id management for dynamic dns servers
On Tue 11 Feb 2014 at 15:22:26 +0200, Lars Noodén wrote: ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to check known_hosts. For me, ssh-keygen -R does not remove all the dynamically generated host keys, however. I've not yet identified what confounds ssh-keygen. The -F option should tell you what is in known_hosts; the hostname can be a name or an IP address. If ssh name is used two lines are entered into known_hosts and two invocations with 'ssh-keygen -R' are needed to clear the file. With ssh IP address only one line is produced. Could this explain your observation? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/12022014124556.8904c40ed...@desktop.copernicus.demon.co.uk
Re: ssh host ip/id management for dynamic dns servers
On 02/12/2014 02:59 PM, Brian wrote: On Tue 11 Feb 2014 at 15:22:26 +0200, Lars Noodén wrote: ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to check known_hosts. For me, ssh-keygen -R does not remove all the dynamically generated host keys, however. I've not yet identified what confounds ssh-keygen. The -F option should tell you what is in known_hosts; the hostname can be a name or an IP address. If ssh name is used two lines are entered into known_hosts and two invocations with 'ssh-keygen -R' are needed to clear the file. With ssh IP address only one line is produced. Running 'ssh-keygen -R' multiple times was one of the things I tried early on. 'ssh-keygen -F' finds nothing, but grep for the hostname finds one entry, and then the same key is found many times with different ip addresses. With the dynamic hostnames is that known_host appears to accumulate only one entry with the hostname and then uses the ip address alone for subsequent encounters of the same key. Could this explain your observation? On this question, it appears that port plays a role. If the default port is used, then -F and -R find the hostname. If a non-standard port is used, then that has to be included in the search query. ssh-keygen -F foobar.example.com ssh-keygen -F [foobar.example.com]:1234 So -F and -R get only specific host+port combinations, not all keys. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fb7725.5050...@gmail.com
Re: ssh host ip/id management for dynamic dns servers
On 20140212_152909, Lars Noodén wrote: On 02/12/2014 02:59 PM, Brian wrote: On Tue 11 Feb 2014 at 15:22:26 +0200, Lars Noodén wrote: ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to check known_hosts. For me, ssh-keygen -R does not remove all the dynamically generated host keys, however. I've not yet identified what confounds ssh-keygen. The -F option should tell you what is in known_hosts; the hostname can be a name or an IP address. If ssh name is used two lines are entered into known_hosts and two invocations with 'ssh-keygen -R' are needed to clear the file. With ssh IP address only one line is produced. Running 'ssh-keygen -R' multiple times was one of the things I tried early on. 'ssh-keygen -F' finds nothing, but grep for the hostname finds one entry, and then the same key is found many times with different ip addresses. With the dynamic hostnames is that known_host appears to accumulate only one entry with the hostname and then uses the ip address alone for subsequent encounters of the same key. Could this explain your observation? On this question, it appears that port plays a role. If the default port is used, then -F and -R find the hostname. If a non-standard port is used, then that has to be included in the search query. ssh-keygen -F foobar.example.com ssh-keygen -F [foobar.example.com]:1234 So -F and -R get only specific host+port combinations, not all keys. Regards, /Lars Lars, Thanks for the new observations on ssh behavior. I would never have suspected such complexity from what I know of the standard description of ssh. Live and learn. Question: Suppose I encounter this situation of the 'known host' having moved to a different IP address (or a different URL?), is there a way to discover whether the change is due to a proper functioning DynDNS, or to a somewhat unstealthy man-in-the-middle operation? Both are low probability events for almost every user, whatever their station in life, so thinking about assessing the odds doesn't give much help. -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140212173433.ga32...@big.lan.gnu
Re: ssh host ip/id management for dynamic dns servers
On 02/12/2014 07:34 PM, Paul E Condon wrote:
...
Question: Suppose I encounter this situation of the 'known host' having
moved to a different IP address (or a different URL?), is there a way
to discover whether the change is due to a proper functioning DynDNS,
or to a somewhat unstealthy man-in-the-middle operation? ...
The key rather than the address is the authoritative identifier of a
host. So a changing IP should be ok as long as the host key remains the
same. It is the host key which is used as identification and proof
against a man in the middle attack. So if the host key is the same, it
is not a MITM. Or if it is a MITM, it's more serious in that you've
lost your key.
A changing IP leads to filling known_hosts with lots of entries, which
is what Zenaan's original question was about. After the first entry for
a named host gets the name along with the IP, the subsequent known_host
entries for that key do not contain the hostname.
sed works for clearing them out but upon thinking about it, awk might be
better since it would allow keeping one copy of the key, sed would
remove them all. However, awk must work via a temporary file and cannot
work directly on the known_hosts file. With either, the pattern to
search for would be a key or a key fragment.
awk /$key/ c++ { next } { print } \
~/.ssh/known_hosts ~/.ssh/known_hosts.new;
It's going to be a short script, including extracting the key to use in
sed or awk.
Regards,
/Lars
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52fbb768.3020...@gmail.com
Re: ssh host ip/id management for dynamic dns servers
On Wed 12 Feb 2014 at 10:34:33 -0700, Paul E Condon wrote: Question: Suppose I encounter this situation of the 'known host' having moved to a different IP address (or a different URL?), is there a way to discover whether the change is due to a proper functioning DynDNS, or to a somewhat unstealthy man-in-the-middle operation? You have the answer in replies to your other mail. Look at the fingerprint presented. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/12022014182257.045ed6e6c...@desktop.copernicus.demon.co.uk
Re: ssh host ip/id management for dynamic dns servers
On 20140212_200320, Lars Noodén wrote:
On 02/12/2014 07:34 PM, Paul E Condon wrote:
...
Question: Suppose I encounter this situation of the 'known host' having
moved to a different IP address (or a different URL?), is there a way
to discover whether the change is due to a proper functioning DynDNS,
or to a somewhat unstealthy man-in-the-middle operation? ...
The key rather than the address is the authoritative identifier of a
host. So a changing IP should be ok as long as the host key remains the
same. It is the host key which is used as identification and proof
against a man in the middle attack. So if the host key is the same, it
is not a MITM. Or if it is a MITM, it's more serious in that you've
lost your key.
A changing IP leads to filling known_hosts with lots of entries, which
is what Zenaan's original question was about. After the first entry for
^
Yes, but I asked an OT question. The key in knownhosts file is surely
not a private key of the host. Rather it is a key that the host
publishes to identify itself to all incoming traffic. What keeps a
good person, like an well meaning employee of the NSA, from making a
copy of the published key and using the copy to spoof the site, in
order to check up on the legitimacy of the use of the ssh connection?
a named host gets the name along with the IP, the subsequent known_host
entries for that key do not contain the hostname.
sed works for clearing them out but upon thinking about it, awk might be
better since it would allow keeping one copy of the key, sed would
remove them all. However, awk must work via a temporary file and cannot
work directly on the known_hosts file. With either, the pattern to
search for would be a key or a key fragment.
awk /$key/ c++ { next } { print } \
~/.ssh/known_hosts ~/.ssh/known_hosts.new;
It's going to be a short script, including extracting the key to use in
sed or awk.
Regards,
/Lars
--
Paul E Condon
pecon...@mesanetworks.net
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140212183044.gb32...@big.lan.gnu
Re: ssh host ip/id management for dynamic dns servers
On 12/02/2014 13:30, Paul E Condon wrote: On 20140212_200320, Lars Noodén wrote: On 02/12/2014 07:34 PM, Paul E Condon wrote: ... Question: Suppose I encounter this situation of the 'known host' having moved to a different IP address (or a different URL?), is there a way to discover whether the change is due to a proper functioning DynDNS, or to a somewhat unstealthy man-in-the-middle operation? ... [...] A changing IP leads to filling known_hosts with lots of entries, which is what Zenaan's original question was about. After the first entry for ^ Yes, but I asked an OT question. The key in knownhosts file is surely not a private key of the host. Rather it is a key that the host publishes to identify itself to all incoming traffic. What keeps a good person, like an well meaning employee of the NSA, from making a copy of the published key and using the copy to spoof the site, in order to check up on the legitimacy of the use of the ssh connection? The Host ID is based off the SSH private key left on that machine. So the only way for your friendly neighborhood NSA agent to generate a duplicate host ID is for them to have a copy of your server's private key. -Dan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fbd496.70...@djph.net
Re: ssh host ip/id management for dynamic dns servers
On 13/02/14 07:07, Dan Purgert wrote: On 12/02/2014 13:30, Paul E Condon wrote: On 20140212_200320, Lars Noodén wrote: On 02/12/2014 07:34 PM, Paul E Condon wrote: ... Question: Suppose I encounter this situation of the 'known host' having moved to a different IP address (or a different URL?), is there a way to discover whether the change is due to a proper functioning DynDNS, or to a somewhat unstealthy man-in-the-middle operation? ... [...] A changing IP leads to filling known_hosts with lots of entries, which is what Zenaan's original question was about. After the first entry for ^ Yes, but I asked an OT question. The key in knownhosts file is surely not a private key of the host. Rather it is a key that the host publishes to identify itself to all incoming traffic. What keeps a good person, like an well meaning employee of the NSA, from making a copy of the published key and using the copy to spoof the site, in order to check up on the legitimacy of the use of the ssh connection? The Host ID is based off the SSH private key left on that machine. So the only way for your friendly neighborhood NSA agent to generate a duplicate host ID is for them to have a copy of your server's private key. 1++ -Dan And if the person/company running the host is halfway competent they'll have implemented DNSSEC - so even a stolen SSH keypair won't enable them to impersonate the host - *if* you check DNSSEC. NOTE: that like electronic mail signatures, most businesses don't bother to implement DNSSEC, and most clients don't check - but it's something to bear in mind. Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fc0460.7000...@gmail.com
Re: ssh host ip/id management for dynamic dns servers
On Tue 11 Feb 2014 at 10:10:37 +1100, Zenaan Harkness wrote: I'm wondering: 1) how to easily clean known_hosts ssh-keygen with the -R option. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/11022014100832.9c8f79ec5...@desktop.copernicus.demon.co.uk
Re: ssh host ip/id management for dynamic dns servers
Hi
On Tue, Feb 11, 2014 at 09:53:32AM +1100, Zenaan Harkness wrote:
With a dyndns type server, each time a new ip address happens, ssh
login adds a new entry to .known_hosts
Is there a recommended way to handle this?
Turn off CheckHostIP ?
For the uninitiated, in your ~/.ssh/config file:
Host {{dns-name-of-host}}
CheckHostIP no
See ssh_config(5) for details - the relevant part is:
CheckHostIP
If this flag is set to “yes”, ssh(1) will additionally check the
host IP
address in the known_hosts file. This allows ssh to detect if a
host key
changed due to DNS spoofing. If the option is set to “no”, the
check
will not be executed. The default is “yes”.
Hope this helps
--
Karl E. Jorgensen
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2014020423.GB13514@hawking
Re: ssh host ip/id management for dynamic dns servers
On 2/11/14, Brian a...@cityscape.co.uk wrote: On Tue 11 Feb 2014 at 10:10:37 +1100, Zenaan Harkness wrote: I'm wondering: 1) how to easily clean known_hosts ssh-keygen with the -R option. Sounds great! (also, the CheckHostIP = no option looks very useful in this regard, thanks Karl) However - it seems to not work for me? : $ HOST=raptor $ ssh-keygen -r $HOST raptor IN SSHFP 1 1 81488c713a821a5d232fadaaf57ec9699e3e3a5e raptor IN SSHFP 1 2 928b7a09cce6c42e52ded51ad8e49b6bc24afa23adc62c7c51b7507ec30aac31 raptor IN SSHFP 2 1 137e0fd7551bd8485b91935274d8f1afcf6be3ba raptor IN SSHFP 2 2 b2e15796502c956b5ecaf4c66848390b11d79ebe16ecbf5efb838630d5ae3846 raptor IN SSHFP 3 1 a7abbd8e090c23371fd335d7bd01fc8238edd08a raptor IN SSHFP 3 2 5002cd18247173fc72d979ee2f50185d5f5ac72e2e7ecf02f77c7de8b5a6dcc7 $ ssh-keygen -R $HOST /home/justa/.ssh/known_hosts updated. Original contents retained as /home/justa/.ssh/known_hosts.old $ ssh-keygen -r $HOST raptor IN SSHFP 1 1 81488c713a821a5d232fadaaf57ec9699e3e3a5e raptor IN SSHFP 1 2 928b7a09cce6c42e52ded51ad8e49b6bc24afa23adc62c7c51b7507ec30aac31 raptor IN SSHFP 2 1 137e0fd7551bd8485b91935274d8f1afcf6be3ba raptor IN SSHFP 2 2 b2e15796502c956b5ecaf4c66848390b11d79ebe16ecbf5efb838630d5ae3846 raptor IN SSHFP 3 1 a7abbd8e090c23371fd335d7bd01fc8238edd08a raptor IN SSHFP 3 2 5002cd18247173fc72d979ee2f50185d5f5ac72e2e7ecf02f77c7de8b5a6dcc7 So it looks like the host raptor is not removed from known_hosts.. ?? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caosgnssn4lyh8owqzv9dupfomhozhuy95out4ovpq7-8xvm...@mail.gmail.com
Re: ssh host ip/id management for dynamic dns servers
On 02/11/2014 02:56 PM, Zenaan Harkness wrote: On 2/11/14, Brian a...@cityscape.co.uk wrote: On Tue 11 Feb 2014 at 10:10:37 +1100, Zenaan Harkness wrote: I'm wondering: 1) how to easily clean known_hosts ssh-keygen with the -R option. Sounds great! (also, the CheckHostIP = no option looks very useful in this regard, thanks Karl) However - it seems to not work for me? : $ HOST=raptor $ ssh-keygen -r $HOST raptor IN SSHFP 1 1 81488c713a821a5d232fadaaf57ec9699e3e3a5e raptor IN SSHFP 1 2 928b7a09cce6c42e52ded51ad8e49b6bc24afa23adc62c7c51b7507ec30aac31 raptor IN SSHFP 2 1 137e0fd7551bd8485b91935274d8f1afcf6be3ba raptor IN SSHFP 2 2 b2e15796502c956b5ecaf4c66848390b11d79ebe16ecbf5efb838630d5ae3846 raptor IN SSHFP 3 1 a7abbd8e090c23371fd335d7bd01fc8238edd08a raptor IN SSHFP 3 2 5002cd18247173fc72d979ee2f50185d5f5ac72e2e7ecf02f77c7de8b5a6dcc7 $ ssh-keygen -R $HOST /home/justa/.ssh/known_hosts updated. Original contents retained as /home/justa/.ssh/known_hosts.old $ ssh-keygen -r $HOST raptor IN SSHFP 1 1 81488c713a821a5d232fadaaf57ec9699e3e3a5e raptor IN SSHFP 1 2 928b7a09cce6c42e52ded51ad8e49b6bc24afa23adc62c7c51b7507ec30aac31 raptor IN SSHFP 2 1 137e0fd7551bd8485b91935274d8f1afcf6be3ba raptor IN SSHFP 2 2 b2e15796502c956b5ecaf4c66848390b11d79ebe16ecbf5efb838630d5ae3846 raptor IN SSHFP 3 1 a7abbd8e090c23371fd335d7bd01fc8238edd08a raptor IN SSHFP 3 2 5002cd18247173fc72d979ee2f50185d5f5ac72e2e7ecf02f77c7de8b5a6dcc7 So it looks like the host raptor is not removed from known_hosts.. ?? ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to check known_hosts. For me, ssh-keygen -R does not remove all the dynamically generated host keys, however. I've not yet identified what confounds ssh-keygen. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fa2412.3020...@gmail.com
Re: ssh host ip/id management for dynamic dns servers [OT?]
I'm puzzled about the apparent 'security theater' on this topic. Known host checking is done, I think, to defend against 'man in the middle', so when the known host key changes because of some event down in the bowels of dynamic dns, does one have any possibility of determining that it is truly *not* a man-in-the-middle attack? Is there some method for checking up on dynamic dns changes other than merely noting the new value and adapting to it? Just puzzled. I don't really expect an answer that I would understand. :-) On 20140211_152226, Lars Noodén wrote: On 02/11/2014 02:56 PM, Zenaan Harkness wrote: On 2/11/14, Brian a...@cityscape.co.uk wrote: On Tue 11 Feb 2014 at 10:10:37 +1100, Zenaan Harkness wrote: I'm wondering: 1) how to easily clean known_hosts ssh-keygen with the -R option. Sounds great! (also, the CheckHostIP = no option looks very useful in this regard, thanks Karl) However - it seems to not work for me? : $ HOST=raptor $ ssh-keygen -r $HOST raptor IN SSHFP 1 1 81488c713a821a5d232fadaaf57ec9699e3e3a5e raptor IN SSHFP 1 2 928b7a09cce6c42e52ded51ad8e49b6bc24afa23adc62c7c51b7507ec30aac31 raptor IN SSHFP 2 1 137e0fd7551bd8485b91935274d8f1afcf6be3ba raptor IN SSHFP 2 2 b2e15796502c956b5ecaf4c66848390b11d79ebe16ecbf5efb838630d5ae3846 raptor IN SSHFP 3 1 a7abbd8e090c23371fd335d7bd01fc8238edd08a raptor IN SSHFP 3 2 5002cd18247173fc72d979ee2f50185d5f5ac72e2e7ecf02f77c7de8b5a6dcc7 $ ssh-keygen -R $HOST /home/justa/.ssh/known_hosts updated. Original contents retained as /home/justa/.ssh/known_hosts.old $ ssh-keygen -r $HOST raptor IN SSHFP 1 1 81488c713a821a5d232fadaaf57ec9699e3e3a5e raptor IN SSHFP 1 2 928b7a09cce6c42e52ded51ad8e49b6bc24afa23adc62c7c51b7507ec30aac31 raptor IN SSHFP 2 1 137e0fd7551bd8485b91935274d8f1afcf6be3ba raptor IN SSHFP 2 2 b2e15796502c956b5ecaf4c66848390b11d79ebe16ecbf5efb838630d5ae3846 raptor IN SSHFP 3 1 a7abbd8e090c23371fd335d7bd01fc8238edd08a raptor IN SSHFP 3 2 5002cd18247173fc72d979ee2f50185d5f5ac72e2e7ecf02f77c7de8b5a6dcc7 So it looks like the host raptor is not removed from known_hosts.. ?? ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to check known_hosts. For me, ssh-keygen -R does not remove all the dynamically generated host keys, however. I've not yet identified what confounds ssh-keygen. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fa2412.3020...@gmail.com -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140211135210.ga14...@big.lan.gnu
Re: ssh host ip/id management for dynamic dns servers [OT?]
Paul E Condon: I'm puzzled about the apparent 'security theater' on this topic. Known host checking is done, I think, to defend against 'man in the middle', Exactly. so when the known host key changes because of some event down in the bowels of dynamic dns, does one have any possibility of determining that it is truly *not* a man-in-the-middle attack? DynDNS doesn't have anything to do with your host key. The host key doesn't change. If OpenSSH really alerts you of a changed host key, then you are either not connecting to the system you expected to connect to or its host key really has changed. OpenSSH just records keys of hosts it has connected to using the IP address *and* the name of the host. If the IP changes, OpenSSH doesn't know the new combination of IP address and hosts key and therefore asks to store it (again) in the known_hosts file. CheckHostIP no should take care of that issue. J. -- I worry about people thinking I have lost direction. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: ssh host ip/id management for dynamic dns servers [OT?]
On 02/11/2014 03:52 PM, Paul E Condon wrote: ... Known host checking is done, I think, to defend against 'man in the middle', so when the known host key changes because of some event down in the bowels of dynamic dns, does one have any possibility of determining that it is truly *not* a man-in-the-middle attack? Is there some method for checking up on dynamic dns changes other than merely noting the new value and adapting to it? ... The host key does not change in this case, it's just that with dynamic DNS the same host gets a new IP address. That means that the same key can have multiple entries in known_hosts. known_hosts can get long and unwieldy, filling with ip numbers that will never be used again. In the case where the host key does get changed (system replaced without backing up keys, for example) then StrictHostKeyChecking set to 'yes' or 'ask' shows the fingerprint before adding it to known_hosts. It is also possible to pre-load in advance the user's known_hosts or the system's known host with the appropriate public key. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fa3a23.3040...@gmail.com
Re: ssh host ip/id management for dynamic dns servers
On Tue, Feb 11, 2014 at 11:56:41PM +1100, Zenaan Harkness wrote: On 2/11/14, Brian a...@cityscape.co.uk wrote: On Tue 11 Feb 2014 at 10:10:37 +1100, Zenaan Harkness wrote: I'm wondering: 1) how to easily clean known_hosts ssh-keygen with the -R option. $ HOST=raptor $ ssh-keygen -r $HOST So it looks like the host raptor is not removed from known_hosts.. ?? '-R' -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140212040949.GC17812@tal
ssh host ip/id management for dynamic dns servers
With a dyndns type server, each time a new ip address happens, ssh login adds a new entry to .known_hosts Is there a recommended way to handle this? TIA Zenaan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caosgnstrsfdxbcsurwww8vnbbykhqjo56_91sxo3k7c--9k...@mail.gmail.com
Re: ssh host ip/id management for dynamic dns servers
On Feb 10, 2014 2:53 PM, Zenaan Harkness z...@freedbms.net wrote: With a dyndns type server, each time a new ip address happens, ssh login adds a new entry to .known_hosts Is there a recommended way to handle this? On 2/11/14, Schlacta, Christ aarc...@aarcane.org wrote: Configure static dhcp leases for your server systems. Every dhcp daemon had a configuration entry for this. Thank you for the suggestion, however it's the public side that's the problem - I do have the server set up (internally) with static config. The publicly visible IP changes every so often, using a dynamic dns service. Accessing the server from this public domain name obviously results in a new IP address every now and then. I'm wondering: 1) how to easily clean known_hosts 2) is there some configuration to automate/simplify this PS Please reply to the list in general, unless it really is a personal email - I just made the same mistake, although there was no debian address to reply to :) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOsGNSREdFMyOjOAkv6fn-qyutiFw-T=av-g49befafprnq...@mail.gmail.com
Re: ssh host ip/id management for dynamic dns servers
On 02/11/2014 01:10 AM, Zenaan Harkness wrote: On Feb 10, 2014 2:53 PM, Zenaan Harkness z...@freedbms.net wrote: With a dyndns type server, each time a new ip address happens, ssh login adds a new entry to .known_hosts Is there a recommended way to handle this? On 2/11/14, Schlacta, Christ aarc...@aarcane.org wrote: Configure static dhcp leases for your server systems. Every dhcp daemon had a configuration entry for this. Thank you for the suggestion, however it's the public side that's the problem - I do have the server set up (internally) with static config. The publicly visible IP changes every so often, using a dynamic dns service. Accessing the server from this public domain name obviously results in a new IP address every now and then. I'm wondering: 1) how to easily clean known_hosts 2) is there some configuration to automate/simplify this PS Please reply to the list in general, unless it really is a personal email - I just made the same mistake, although there was no debian address to reply to :) One way might be to paste the key into sed and use //d to delete the lines with the key. Since / can occur in a key, # is used here as the delimiter: sed '\#B3NzaC1yc2EDAQABAAABAQDK...#d' ~/.ssh/known_hosts If that does what you want then add -i Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52f9d0be.1090...@gmail.com
