[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mass-updating cached hosts keys afrer ssh security upgrade?


On Mon, Jul 21, 2008 at 06:43:31PM -0500, JW wrote:
> Has anyone come up with a way to read all the cached hosts - all the 
> ~/.ssh/known_hosts entries on a system (or at least per user) and fix them?
> Essentially I need some semi-automated way to fix this since I have many 
> users's connections to fix still (hundreds if not thousands by the time I do 
> machines X users X outgoing connections).

I have written a little script that does this with the help of ssh-keyscan's
-R option. (It doesn't work with the sarge version btw. because it didn't
have -R.) If you put in your domain at the beginning and the hostnames in
the "for x in..." loop it deletes (the probably hashed) lines with
hostname.domain, hostname (w/o domain) if the domain is in /etc/resolv.conf
and the IP of hostname.domain, if it can be resolved at the time the script
runs. I have put the test with /etc/resolve.conf there, so the script can be
run by users on computers in other domains, but won't delete lines for
host001 there, because the would really be host001.otherdomain and not
host001.yourdomain. In any case it makes a backup of the original

It maybe is a bit too verbose, maybe some warnings get easily overlooked
because of that (e. g. problem resolving hostname.domain -> IP). If you use
IPv6 already, you probably need to add some lines for that to the script. It
should be similar to the IPv4 case.

 Mike Dornberger

Attachment: delvulnhostkeys.sh
Description: Bourne shell script

Reply to: