[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh host ip/id management for dynamic dns servers

On 20140212_152909, Lars Noodén wrote:
> On 02/12/2014 02:59 PM, Brian wrote:
> > On Tue 11 Feb 2014 at 15:22:26 +0200, Lars Noodén wrote:
> > 
> >> ssh-keygen -r checks the SSHFP record in DNS.  Use grep or something to
> >> check known_hosts.  For me, ssh-keygen -R does not remove all the
> >> dynamically generated host keys, however.  I've not yet identified what
> >> confounds ssh-keygen.
> > 
> > The -F option should tell you what is in known_hosts; the hostname can
> > be a name or an IP address. If
> > 
> >    ssh <name>
> > 
> > is used two lines are entered into known_hosts and two invocations with
> > 'ssh-keygen -R' are needed to clear the file. With
> > 
> >    ssh <IP address>
> > 
> > only one line is produced.
> 
> Running 'ssh-keygen -R' multiple times was one of the things I tried
> early on.  'ssh-keygen -F' finds nothing, but grep for the hostname
> finds one entry, and then the same key is found many times with
> different ip addresses.  With the dynamic hostnames is that known_host
> appears to accumulate only one entry with the hostname and then uses the
> ip address alone for subsequent encounters of the same key.
> 
> > Could this explain your observation?
> 
> On this question, it appears that port plays a role.  If the default
> port is used, then -F and -R find the hostname.  If a non-standard port
> is used, then that has to be included in the search query.
> 
> 	ssh-keygen -F foobar.example.com	
> 	ssh-keygen -F [foobar.example.com]:1234
> 
> So -F and -R get only specific host+port combinations, not all keys.
> 
> Regards,
> /Lars
> 

Lars,

Thanks for the new observations on ssh behavior. I would never have
suspected such complexity from what I know of the standard description
of ssh.

Live and learn.

Question: Suppose I encounter this situation of the 'known host' having
moved to a different IP address (or a different URL?), is there a way
to discover whether the change is due to a proper functioning DynDNS,
or to a somewhat unstealthy man-in-the-middle operation? 

Both are low probability events for almost every user, whatever their
station in life, so thinking about assessing the odds doesn't give
much help.


-- 
Paul E Condon           
pecondon@mesanetworks.net
Reply to: