SSH host key rotation – known_hosts file not updated
Jan Eden
tech at eden.one
Mon Oct 14 00:45:23 AEDT 2024
Hi,
I created new host keys on serverA, updated sshd_config accordingly
(adding the line below) and restarted ssh:
cd /etc/ssh
sudo ssh-keygen -f 2024_ssh_host_ed25519_key -t ed25519 -N ''
sudo vi /etc/ssh/sshd_config
# added line: HostKey /etc/ssh/2024_ssh_host_ed25519_key
sudo service ssh restart
When I connect to serverA (`ssh -v -o UpdateHostKeys=yes serverA`)
afterwards, known_hosts on the client is not updated. The output of the
ssh command contains this:
debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key.
# ...
debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts for [serverA.domain.internal]:22 / (none)
debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts2 for [serverA.domain.internal]:22 / (none)
debug1: client_input_hostkeys: hostkeys file /Users/snafu/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update
The last message is slightly ambiguous – it could be interpreted as the
new host key having been found in known_hosts for a different host
(which is almost impossible, as I created it on serverA one hour ago),
or that old host key(s) for serverA (which are obviously present in
known_hosts) somehow interfered with the file update. The second
interpretation is probably correct, but I fail to see what the problem
could be.
- Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20241013/b50f8458/attachment.asc>
More information about the openssh-unix-dev
mailing list