SSH host key rotation – known_hosts file not updated
Bob Proulx
bob at proulx.com
Fri Oct 18 15:13:44 AEDT 2024
Nico Kadel-Garcia wrote:
> And... *THIS* is why so many people disable known_hosts entirely. The
> chance of an IP address being reused for a distinct hostname is pretty
> high in a DHCP environment without reservations, coupled with dynamic
> DNS. It's also very common when servers get rebuilt from images and
> fresh hostkeys generated automatically on the same hardware, even with
> the same IP address. The popular solution is to simply disable
> known_hosts in your ~/.ssh/config as needed:
I mitigate this in two different ways. For one if servers are getting
rebuilt routinely such as for testing or for scaling-out or just
normal replacement then I always install the same role key for those
servers. It's a replacement for a previous server? Then it gets the
same role key as the prior server.
The second thing I do is I build a global ssh_known_hosts with the
known host keys of the dynamic server pool systems. Since the key is
in the system level ssh_known_hosts then it doesn't get added to user
level known_hosts file. And the system level file is updated as
needed.
That's not to say that I don't /dev/null host keys in some cases too.
Here if I connect to an IP address then I know it is just a one-off
not to be saved and I discard host keys in that case.
Bob
More information about the openssh-unix-dev
mailing list