[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh host ip/id management for dynamic dns servers

On 20140212_200320, Lars Noodén wrote:
> On 02/12/2014 07:34 PM, Paul E Condon wrote:
> > ...
> > Question: Suppose I encounter this situation of the 'known host' having
> > moved to a different IP address (or a different URL?), is there a way
> > to discover whether the change is due to a proper functioning DynDNS,
> > or to a somewhat unstealthy man-in-the-middle operation? ...
> 
> The key rather than the address is the authoritative identifier of a
> host.  So a changing IP should be ok as long as the host key remains the
> same.  It is the host key which is used as identification and proof
> against a man in the middle attack.  So if the host key is the same, it
> is not a MITM.  Or if it is a MITM, it's more serious in that you've
> lost your key.
> 
> A changing IP leads to filling known_hosts with lots of entries, which
> is what Zenaan's original question was about.  After the first entry for

                   ^^^^^^^^^^^^^^^^^

Yes, but I asked an OT question. The key in knownhosts file is surely
not a private key of the host.  Rather it is a key that the host
publishes to identify itself to all incoming traffic. What keeps a
good person, like an well meaning employee of the NSA, from making a
copy of the published key and using the copy to spoof the site, in
order to check up on the legitimacy of the use of the ssh connection?

> a named host gets the name along with the IP, the subsequent known_host
> entries for that key do not contain the hostname.
> 
> sed works for clearing them out but upon thinking about it, awk might be
> better since it would allow keeping one copy of the key, sed would
> remove them all.  However, awk must work via a temporary file and cannot
> work directly on the known_hosts file.  With either, the pattern to
> search for would be a key or a key fragment.
> 
> 	awk "/$key/ && c++ { next } { print }" \
> 	~/.ssh/known_hosts > ~/.ssh/known_hosts.new;
> 
> It's going to be a short script, including extracting the key to use in
> sed or awk.
> 
> Regards,
> /Lars



-- 
Paul E Condon           
pecondon@mesanetworks.net
Reply to: