[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HashKnownHosts



2005/7/3, Colin Watson <cjwatson@debian.org>:
> On Sun, Jul 03, 2005 at 03:28:15PM +0200, Bernd Eckenfels wrote:
> > In article <20050703130109.GB16725@riva.ucam.org> you wrote:
> > > That's true, and unavoidable in this scheme; but the use case (beyond
> > > fastidiousness) for this is not clear to me.
> >
> > Well, how do you audit the files and purge stale entries.
> 
> That comes under "fastidiousness" as far as I'm concerned: the only
> benefits I see from bothering to do that are (a) negligible performance
> differences and (b) hiding of old information, which HashKnownHosts
> gives you anyway. I don't see how it's required for normal use. Joe User
> is never going to garbage-collect his known_hosts file; heck, even I
> have better things to do. The only time I've ever removed entries from
> known_hosts is when I know that a specific host's key has changed, and
> 'ssh-keygen -R' deals with that just fine.

One case I can think of is where you regularly ssh into a machine with
a dynamic IP address. Maybe with or without a dyndns name. Depending
on the size of the ISP and how often the address changes the
known_hosts files could increase without bound.

Even with a dyndns name, the known_hosts file has both the DNS name
and the IP address. If you remove the hash based on DNS name, does it
remove *all* known_hosts with IP addresses with the same public key?
The documentation for -R quoted doesn't state either way.

To be honest, I think it would be far more useful to timestamp each
entry so you can simply expire old ones. Looking through my
known_hosts file now I see lots of duplicate entries (same host,
different names) and hosts which I only ever logged into once. As well
as hosts that no longer exist or no longer accessable to me. With the
names I guess, with hashes you're stuffed. I think I can confidently
say that >80% of my known_hosts file is redundant but I can only tell
by seeing the names/IP addresses...

> (Of course, people with unusual requirements can always disable
> HashKnownHosts, but I'm interested in a sane default.)

Whether my situation is unusual or not I have no idea. This machine is
about 5 years old and has been connected to a lot of networks and
machines over its lifetime, each of which leaves a line or two in my
known_hosts...

I think if another way was provided to manage file growth it wouldn't
be so much of an issue...



Reply to: