entries in .ssh/known_hosts

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
In OpenSSH, the file .ssh/known_hosts uses the host name and IP
address for the stored ssh key entries.  I suggest the following two

1. Only store host names but not IP addresses.  IP addresses can
   changes, especially, when the host has a dynamically assigned IP
   address, like many dial-up providers do.  I have one case where the
   same host has over 200 entries in the known_hosts file because of
   changing addresses.

2. In addition to the host name, also include the port number in the
   known_hosts file.  One machine can have running several sshd's with
   different host keys on separate ports.  I have one such case that
   gives me headaches because of seemingly changing host keys.

   In fact, I have a .ssh/config that contains something like this:

        Host foo
        HostName remote-machine
        Port     22222
        User     urs

        Host bar
        HostName remote-machine
        Port     22223
        User     thuerman

   where ports 22222 and 22223 on remote-machine are http-tunneled to
   the ssh ports of two different machines and therefore present
   different ssh hosts keys to the local ssh program when running
   ssh foo and ssh bar, respectively.

   As an alternative to including the port number, the alias names foo
   and bar could be used instead of the name remote-machine in the
   known_hosts file.  However, I consider including the port number
   the better and more flexible solution.

I think the syntax of the known_hosts file could be extended to

   host-name,ip-address,port-nummer key-type key-data

where each of the first three components can be empty, i.e.

   host-name              key-type ...
   host-name,ip-address   key-type ...
   host-name,,port-nummer key-type ...

would be also allowed and there could be an option in .ssh/config to
select which format is normally written.


Re: entries in .ssh/known_hosts

Quoted text here. Click to load it

$ man ssh_config
   If this flag is set to ``yes'', ssh will additionally check the
   host IP address in the known_hosts file.  This allows ssh to
   detect if a host key changed due to DNS spoofing.  If the option
   is set to ``no'', the check will not be executed.  The default is

Quoted text here. Click to load it

This is an open feature request.

Quoted text here. Click to load it

$ man ssh_config
   Specifies an alias that should be used instead of the real host
   name when looking up or saving the host key in the host key
   database files.  This option is useful for tunneling ssh connec-
   tions or for multiple servers running on a single host.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: entries in .ssh/known_hosts

dtucker@dodgy.net.au (Darren Tucker) writes:

Quoted text here. Click to load it

Thanx for your answer and sorry for not reading the man page carefully
enough before posting.  Port numbers in known_hosts would be nice but
can be worked around which the HostKeyAlias.


Site Timeline