[PATCH] allow user to update changed key in known_hosts

Damien Miller djm at mindrot.org
Mon Feb 6 11:35:43 EST 2006


On Sat, 4 Feb 2006, Jirka Bohac wrote:

> Hi list,
> 
> 
> I use ssh a lot and I often need to connect to hosts whose host key has
> changed. If a host key of the remote host changes ssh terminates and the
> user has to manually delete the offending host key from known_hosts. I
> had to do this so many times that I no longer like the idea ;-)
> I would really like ssh to ask me if the new host key is OK and if I
> want to add it to known_hosts.
> 
> I talked to other people and they also seemed to be bothered by this
> behaviour, so I have just written a small patch that introduces a new
> config option: OffendingKeyOverride

I don't think we will add an option like this: part of the OpenSSH's 
"security UI" is that a changed key is a significant event that requires
explicit manual intervention, not just answering "yes" to a question.
We are very wary of convenience options like OffendingKeyOverride, as 
they tend to get turned on indiscriminately and never turned off.

BTW, in recent releases, the manual intervention required on key change
is as simple as the command:

ssh-keygen -R offending.host.name

This will remove the old key without editing, while still requiring a
manual step.

-d




More information about the openssh-unix-dev mailing list