[Bug 1213] ssh-keyscan exits in mid-way

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Mar 6 06:04:20 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=1213

--- Comment #27 from Paul Wouters <paul at cypherpunks.ca> 2011-03-06 06:04:20 EST ---
(In reply to comment #26)
> (In reply to comment #25)

> If anything, the most I would do is put together a Perl script to merge
> an old and new known_hosts file, such that new entries override old
> ones, and old ones that don't have a newer replacement are kept.

You really want to look at SSHFP DNS records protected by DNSSEC, and
setting VerifyHostKeyDNS ask in your /etc/ssh/ssh_config

you can use the "sshfp" tool for that, which is exactly why I was
interested in this bug. sshfp can AXFR a zone, and use ssh-keyscan to
connect to all A records in the zone and print the SSHFP record to add
in your zones.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list