How to remove old entries from known_hosts?
Nico Kadel-Garcia
nkadel at gmail.com
Mon Feb 19 01:43:55 AEDT 2024
On Sat, Feb 17, 2024 at 2:58 PM Bob Proulx <bob at proulx.com> wrote:
>
> Brian Candler wrote:
> > Chris Green wrote:
> > > ... redundant ones are because I have a mixed population of
> > > Raspberry Pis and such on my LAN and they get rebuilt fairly
> > > frequently and thus, each time, get a new entry in known_hosts.
> > ...many useful tips...
> > To disable host key checking altogether for certain domains and/or networks,
> > you can put this in ~/.ssh/config:
> >
> > host *.lab.example.com 10.11.*
> > StrictHostKeyChecking no
> > UserKnownHostsFile /dev/null
> > ...many useful tips...
>
> Additionally I would consider setting up global ssh_known_hosts
> containing the ssh host keys for your network. If a key is in the
> global file then it won't be added to the local client file. The
> global hosts file can be updated as you rebuild your lab machines and
> contain a canonical set of host keys for your LAN. I do this.
And.... the cycles spent on yak shaving .ssh/known_hosts is why many
sites simply disable it. In environments where the exposed IP
addresses of rebuilt virtual hosts or proxies may shift without
notice, and especially when they may be rebuilt on prevously used IP
addresses with old keys stored, maintaining .ssh/known_hosts becomes
more likely to disable expected and even mandatory operations than it
is to detect and help prevent a replaced host. Frankly, I gave up on
it years ago and use something the settings below in
/etc/ssh/ssh_config.d/known_hosts.conf
Host *
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
LogLevel=ERROR
It can be set more restrictively for your local non-routable VLAN, but
in the last 25 years I've seen precisely *zero* cases where
.ssh/known_hosts prevented rather than caused problems.I have seen
sites pour a lot of time and money and effort into setting up signed
host keys, to avoid the IP migration conflict issues, but I'd
recommend spending the time and money elsewhere like auditing for SSH
private keys without passphrases.
More information about the openssh-unix-dev
mailing list