SSH host key rotation – known_hosts file not updated
Jan Eden
tech at eden.one
Sat Oct 19 04:31:28 AEDT 2024
On 2024-10-17 19:26, Nico Kadel-Garcia wrote:
> > Thank you! Increasing the verbosity revealed a known_hosts entry linked
> > to serverA's IP address (I had forgotten that I had connected to it by
> > IP address at some point). Deleting this entry solved the problem; the
> > new host key was stored in known_hosts when I connected to serverA
> > again.
> >
> > - Jan
>
> And... *THIS* is why so many people disable known_hosts entirely. The
> chance of an IP address being reused for a distinct hostname is pretty
> high in a DHCP environment without reservations, coupled with dynamic
> DNS. It's also very common when servers get rebuilt from images and
> fresh hostkeys generated automatically on the same hardware, even with
> the same IP address. The popular solution is to simply disable
> known_hosts in your ~/.ssh/config as needed:
>
> # Disable known_hosts to avoid IP re-use conflicts
> Host *
> UserKnownHostsFile /dev/null
> StrictHostKeyChecking no
> LogLevel ERROR
Thanks for the hint. How would I verify a server's identity without
known_hosts / StrictHostKeyChecking?
- Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20241018/972a12a0/attachment-0001.asc>
More information about the openssh-unix-dev
mailing list