Re: Re: Re: SSH host key rotation – known_hosts file not updated

Fri Oct 25 04:42:00 AEDT 2024

On Fri, Oct 18, 2024 at 1:31 PM Jan Eden <tech at eden.one> wrote:
>
> On 2024-10-17 19:26, Nico Kadel-Garcia wrote:
>
> > > Thank you! Increasing the verbosity revealed a known_hosts entry linked
> > > to serverA's IP address (I had forgotten that I had connected to it by
> > > IP address at some point). Deleting this entry solved the problem; the
> > > new host key was stored in known_hosts when I connected to serverA
> > > again.
> > >
> > > - Jan
> >
> > And... *THIS* is why so many people disable known_hosts entirely. The
> > chance of an IP address being reused for a distinct hostname is pretty
> > high in a DHCP environment without reservations, coupled with dynamic
> > DNS. It's also very common when servers get rebuilt from images and
> > fresh hostkeys generated automatically on the same hardware, even with
> > the same IP address. The popular solution is to simply disable
> > known_hosts in your ~/.ssh/config as needed:
> >
> >     # Disable known_hosts to avoid IP re-use conflicts
> >     Host *
> >          UserKnownHostsFile /dev/null
> >           StrictHostKeyChecking no
> >           LogLevel ERROR
>
> Thanks for the hint. How would I verify a server's identity without
> known_hosts / StrictHostKeyChecking?

By verifying it with a TLS signature, if you feel the need to spend
the effort. Those don't scale well. Otherwise, known_hosts entries are
pretty much "first-come, first serve", and whoever's key is accepted
first can commit a quite successful denial of service attack against
the second host. That's actually the *idea*, but it presumes that the
host_keys are consistent and stable identifiers rather than merely
public/private key pairs to ensure protection of content. When the
world was much smaller, back in 1995, known_hosts was pretty useful.
IP addresses and DNS were pretty stable and not prone to modern drift,
such as occur in auto-scaling in cloud based VLANs. But re-use of IP
addresses has become commonplace, especially with the address space
limits of IPv4 and the refusal of so many to even bother with IPv6.