Hi, On Mon, Jul 21, 2008 at 06:43:31PM -0500, JW wrote: > Has anyone come up with a way to read all the cached hosts - all the > ~/.ssh/known_hosts entries on a system (or at least per user) and fix them? > > Essentially I need some semi-automated way to fix this since I have many > users's connections to fix still (hundreds if not thousands by the time I do > machines X users X outgoing connections). I have written a little script that does this with the help of ssh-keyscan's -R option. (It doesn't work with the sarge version btw. because it didn't have -R.) If you put in your domain at the beginning and the hostnames in the "for x in..." loop it deletes (the probably hashed) lines with hostname.domain, hostname (w/o domain) if the domain is in /etc/resolv.conf and the IP of hostname.domain, if it can be resolved at the time the script runs. I have put the test with /etc/resolve.conf there, so the script can be run by users on computers in other domains, but won't delete lines for host001 there, because the would really be host001.otherdomain and not host001.yourdomain. In any case it makes a backup of the original known_hosts. It maybe is a bit too verbose, maybe some warnings get easily overlooked because of that (e. g. problem resolving hostname.domain -> IP). If you use IPv6 already, you probably need to add some lines for that to the script. It should be similar to the IPv4 case. Greetings, Mike Dornberger
Attachment:
delvulnhostkeys.sh
Description: Bourne shell script