Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- entries in .ssh/known_hosts
- Urs Thuermann
September 9, 2003, 9:24 pm
rate this thread
address for the stored ssh key entries. I suggest the following two
1. Only store host names but not IP addresses. IP addresses can
changes, especially, when the host has a dynamically assigned IP
address, like many dial-up providers do. I have one case where the
same host has over 200 entries in the known_hosts file because of
2. In addition to the host name, also include the port number in the
known_hosts file. One machine can have running several sshd's with
different host keys on separate ports. I have one such case that
gives me headaches because of seemingly changing host keys.
In fact, I have a .ssh/config that contains something like this:
where ports 22222 and 22223 on remote-machine are http-tunneled to
the ssh ports of two different machines and therefore present
different ssh hosts keys to the local ssh program when running
ssh foo and ssh bar, respectively.
As an alternative to including the port number, the alias names foo
and bar could be used instead of the name remote-machine in the
known_hosts file. However, I consider including the port number
the better and more flexible solution.
I think the syntax of the known_hosts file could be extended to
host-name,ip-address,port-nummer key-type key-data
where each of the first three components can be empty, i.e.
host-name key-type ...
host-name,ip-address key-type ...
host-name,,port-nummer key-type ...
would be also allowed and there could be an option in .ssh/config to
select which format is normally written.
Re: entries in .ssh/known_hosts
$ man ssh_config
If this flag is set to ``yes'', ssh will additionally check the
host IP address in the known_hosts file. This allows ssh to
detect if a host key changed due to DNS spoofing. If the option
is set to ``no'', the check will not be executed. The default is
This is an open feature request.
$ man ssh_config
Specifies an alias that should be used instead of the real host
name when looking up or saving the host key in the host key
database files. This option is useful for tunneling ssh connec-
tions or for multiple servers running on a single host.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » pseudo-terminal will not be allocated because stdin is not a terminal error message when t...
- — Next thread in » Secure Shell Forum
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum