Re: ssh host ip/id management for dynamic dns servers
On 20140212_200320, Lars Noodén wrote:
> On 02/12/2014 07:34 PM, Paul E Condon wrote:
> > ...
> > Question: Suppose I encounter this situation of the 'known host' having
> > moved to a different IP address (or a different URL?), is there a way
> > to discover whether the change is due to a proper functioning DynDNS,
> > or to a somewhat unstealthy man-in-the-middle operation? ...
>
> The key rather than the address is the authoritative identifier of a
> host. So a changing IP should be ok as long as the host key remains the
> same. It is the host key which is used as identification and proof
> against a man in the middle attack. So if the host key is the same, it
> is not a MITM. Or if it is a MITM, it's more serious in that you've
> lost your key.
>
> A changing IP leads to filling known_hosts with lots of entries, which
> is what Zenaan's original question was about. After the first entry for
^^^^^^^^^^^^^^^^^
Yes, but I asked an OT question. The key in knownhosts file is surely
not a private key of the host. Rather it is a key that the host
publishes to identify itself to all incoming traffic. What keeps a
good person, like an well meaning employee of the NSA, from making a
copy of the published key and using the copy to spoof the site, in
order to check up on the legitimacy of the use of the ssh connection?
> a named host gets the name along with the IP, the subsequent known_host
> entries for that key do not contain the hostname.
>
> sed works for clearing them out but upon thinking about it, awk might be
> better since it would allow keeping one copy of the key, sed would
> remove them all. However, awk must work via a temporary file and cannot
> work directly on the known_hosts file. With either, the pattern to
> search for would be a key or a key fragment.
>
> awk "/$key/ && c++ { next } { print }" \
> ~/.ssh/known_hosts > ~/.ssh/known_hosts.new;
>
> It's going to be a short script, including extracting the key to use in
> sed or awk.
>
> Regards,
> /Lars
--
Paul E Condon
pecondon@mesanetworks.net
Reply to: