Re: Mass-updating cached hosts keys afrer ssh security upgrade?

[Maximilian Wilhelm <max@rfc2324.org>]

Anno domini 2008 JW scripsit:

Hi!

> In the past several weeks I have applied the openssh/openssl updates to my 
> systems - the updates the fix the random-number-generator weakness.

> This has turned into an unexpected nightmare: my users have, between them all, 
> dozens of cached host keys, and they are nearly unable to work because every 
> time they turn around they're getting bad-old-cached-key warnings (REMOTE 
> HOST IDENTIFICATION HAS CHANGED).

> I've been trying to go through all the known_hosts files manually and update 
> them to give my users a break, but it's a tedious nightmare. Adding to the 
> complexity is that many of the known_hosts files are armored (the hostname/ip 
> address is not in plain text).

> Has anyone come up with a way to read all the cached hosts - all the 
> ~/.ssh/known_hosts entries on a system (or at least per user) and fix them?

> Essentially I need some semi-automated way to fix this since I have many 
> users's connections to fix still (hundreds if not thousands by the time I do 
> machines X users X outgoing connections).

Others have already pointed to things how to do this.
When you have finished the cleaning up, you might be interested in 

	http://rfc2324.org/projects/ssh-keysync

Comments welcome.

Ciao
Max
-- 
	Follow the white penguin.