[Bug 1213] ssh-keyscan exits in mid-way

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Mar 4 12:07:11 EST 2011


--- Comment #25 from aab at purdue.edu 2011-03-04 12:07:11 EST ---
(In reply to comment #24)
> Okay, I think I see what's going on here.
> When you click on the "attachment 2008 [details]" link, you're taken to a fancy
> side-by-side rendition of the diff. At the top, there are a series of
> links:
>     View | Details | Raw Unified | Return to bug 1213 | Differences ...
> I was clicking on "Raw Unified," and got the broken patch. "View" goes
> to the URL you gave (which yields the correct patch). Confusing, isn't
> it?

Yes, it is indeed confusing.  I've never used the exact path you used
to get to the patch so I missed seeing the "bad" representation of it.

One of the things that I've observed in generating the
"ssh_known_hosts" file is that it can end up having a quite variable
keyset as it depends on ALL of the hosts ALWAYS being up (don't we
wish).  It's probably overkill but we generate the "hosts" file once an
hour via a set of wrapper scripts.  Included within the scripts is a
database that contains the current keys for all hosts that are
currently supposed to be active (previously acquired via these same
scripts).  This allows us two capabilities: 1) if there is no key
returned for some host, the database can supply the last one and 2) it
allows us to see if there have been any changes in the keys that might
signify a security break.

A second part is a condensation of the keys via globbing. This assumes
that a number of the hosts have the same key.  The cluster nodes on our
private networks are basically all cloned so we do get considerable
condensation.  Right now, for 4700+ hosts, the "hosts" file has 334

The core script is a highly modified variant of the GNU licensed
script, "make_ssh_known_hosts.pl", that was in "ssh-1.0.0" (circa
1998).  Note that's "ssh" not "openssh".  My original came from
"ssh-1.2.26".  For some reason, it disappeared when the OpenSSH folks
took over.   For Linux boxes, it's still dependent on my bind 9 hack of
`nslookup' as I haven't had time to modify it to use the current GNU

Would you be interested in anything like this?

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list