"ssh-keygen -R hostname" errors out with non-existent known_hosts

Nico Kadel-Garcia nkadel at gmail.com
Sat Mar 27 16:19:14 AEDT 2021


On Fri, Mar 26, 2021 at 2:42 AM Jim Knoble <jmknoble at pobox.com> wrote:
>
>
> > On Mar 25, 2021, at 20:49, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
> >
> > On Wed, Mar 24, 2021 at 5:45 AM Jochen Bern <Jochen.Bern at binect.de> wrote:
> >>
> >>> On 23.03.21 06:42, Nico Kadel-Garcia wrote:
> >>> If I want to delete a hostkey entry, and there is none to be found,
> >>> shouldn't that be considered a successful operation?
> >>
> >> I can think of (easily more than) two scenarios where someone would want
> >> to run such a command in the first place:
> >>
> >> -- An admin performing cleanups on users' known_hosts file after a
> >> server changed keypairs or got decommissioned, where not finding the old
> >> pubkeys in some of the user configs would be expected and ignored
> >>
> >> -- A user who has had strict hostkey checking block his login and tries
> >> to fix the problem, where the command *failing* to (semi-)fix the
> >> problem is something he definitely wants to know about
> >>
> >> You can't have one and the same command do *both*.
> >>
> >> If anything, the reaction of "ssh-keygen -R ..." to a missing
> >> known_hosts file should be consistent with the outcome of it not finding
> >> a matching key therein to delete (which is to output an error message
> >> but still do an exit(0), apparently).
> >
> > This is why I'm suggesting should be the default.
>
> What's wrong with:
>
>     ssh-keygen -R hostname || true
>
> ?

Well, for one thing it's sloppy and ignores very real error
conditions, such as ~/.ssh/known_hosts or whatever is the designated
known_hosts file being write protected, but containing the hostname.,
and the remove command failing. One *might* use something like this.

    [ ! -s ~/.ssh/known_hosts ] || ssh-keygen -R hostname

But why make me write a shell wrapper and try to outsmart
functionality that can be and, I think should be, embedded in the
ssh-keygen as reporting success. "The hostname key is not in
~/.ssh/known_hosts, yay!!!"


More information about the openssh-unix-dev mailing list