Re: ssh host ip/id management for dynamic dns servers
On 02/12/2014 02:59 PM, Brian wrote:
> On Tue 11 Feb 2014 at 15:22:26 +0200, Lars Noodén wrote:
>
>> ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to
>> check known_hosts. For me, ssh-keygen -R does not remove all the
>> dynamically generated host keys, however. I've not yet identified what
>> confounds ssh-keygen.
>
> The -F option should tell you what is in known_hosts; the hostname can
> be a name or an IP address. If
>
> ssh <name>
>
> is used two lines are entered into known_hosts and two invocations with
> 'ssh-keygen -R' are needed to clear the file. With
>
> ssh <IP address>
>
> only one line is produced.
Running 'ssh-keygen -R' multiple times was one of the things I tried
early on. 'ssh-keygen -F' finds nothing, but grep for the hostname
finds one entry, and then the same key is found many times with
different ip addresses. With the dynamic hostnames is that known_host
appears to accumulate only one entry with the hostname and then uses the
ip address alone for subsequent encounters of the same key.
> Could this explain your observation?
On this question, it appears that port plays a role. If the default
port is used, then -F and -R find the hostname. If a non-standard port
is used, then that has to be included in the search query.
ssh-keygen -F foobar.example.com
ssh-keygen -F [foobar.example.com]:1234
So -F and -R get only specific host+port combinations, not all keys.
Regards,
/Lars
Reply to: