How to remove old entries from known_hosts?
Brian Candler
b.candler at pobox.com
Wed Feb 14 23:36:44 AEDT 2024
On 14/02/2024 11:42, Chris Green wrote:
> Is there any way to remove old entries from the known_hosts file? With
> the hashed 'names' one can't easily see which entries are which. I
> have around 150 lines in my known hosts but in reality I only ssh to a
> dozen or so systems. All the redundant ones are because I have a
> mixed population of Raspberry Pis and such on my LAN and they get
> rebuilt fairly frequently and thus, each time, get a new entry in
> known_hosts.
>
> As a result I have to set 'PreferredAuthentications password' for some
> systems because there are *loads* of redundant keys which cause login
> to fail otherwise.
>
Set 'HashKnownHosts no' in /etc/ssh/ssh_config. This is actually the
default for OpenSSH, but many distro vendors set it to yes because "it's
more secure, obvs".
Connect to all the machines you need to and delete the lines which
conflict (ssh will tell you the line number). When your known_hosts
seems to contain the hosts you want, delete all the hashed ones. Or
simply start from scratch with an empty known_hosts.
To disable host key checking altogether for certain domains and/or
networks, you can put this in ~/.ssh/config:
host *.lab.example.com 10.11.*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
More information about the openssh-unix-dev
mailing list