openssh known_hosts question - SSH

This is a discussion on openssh known_hosts question - SSH ; How does openssh know whether you've accepted a server's key before so as not to ask the next time 'round? I ran an ssh-keyscan against all servers in my known_hosts file, redirected the output to a new file and compared ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: openssh known_hosts question

  1. openssh known_hosts question

    How does openssh know whether you've accepted a server's key before so
    as not to ask the next time 'round?

    I ran an ssh-keyscan against all servers in my known_hosts file,
    redirected the output to a new file and compared it the two files. They
    were the same so obviously it's not there. So where does it store that info?

  2. Re: openssh known_hosts question

    Chuck wrote:
    > How does openssh know whether you've accepted a server's key before so
    > as not to ask the next time 'round?


    It puts the key in known_hosts.

    > I ran an ssh-keyscan against all servers in my known_hosts file,
    > redirected the output to a new file and compared it the two files. They
    > were the same so obviously it's not there. So where does it store that info?


    I'm afraid I don't understand what problem you have that you're trying
    to solve. Why would ssh-keyscan output and your known_hosts file be
    different?

    Do you have a host that prompts you to accept a host key even though
    it's in your known_hosts file? If so, can you provide the exact message
    that appears? Is that host in your known_hosts list multiple times?

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  3. Re: openssh known_hosts question

    Darren Dunham wrote:
    > Chuck wrote:
    >> How does openssh know whether you've accepted a server's key before so
    >> as not to ask the next time 'round?


    > It puts the key in known_hosts.


    Also, do you have an /etc/ssh_known_hosts file?
    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  4. Re: openssh known_hosts question

    >>>>> "Chuck" == Chuck writes:

    Chuck> How does openssh know whether you've accepted a server's key
    Chuck> before so as not to ask the next time 'round?

    Chuck> I ran an ssh-keyscan against all servers in my known_hosts
    Chuck> file, redirected the output to a new file and compared it the
    Chuck> two files. They were the same so obviously it's not there. So
    Chuck> where does it store that info?

    If you accept a key yourself as part of an SSH session, it's stored in
    ~/.ssh/known_hosts. There is also a per-machine file,
    /etc/ssh_known_hosts.

    Note that OpenSSH does not canonicalize names; it matches what you type on
    the command line verbatim against the keys in the known_hosts file (aside
    from the use of patterns in that file). So if you have an entry:

    foo.bar.com ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...

    and you type "ssh foo", they will not match. You can edit thus:

    foo.bar.com,foo ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...

    .... to fix this. Or, you can use Kerberos, which does canonicalize
    names.

    --
    Richard Silverman
    res@qoxp.net


  5. Re: openssh known_hosts question

    Darren Dunham wrote:
    > Darren Dunham wrote:
    >> Chuck wrote:
    >>> How does openssh know whether you've accepted a server's key before so
    >>> as not to ask the next time 'round?

    >
    >> It puts the key in known_hosts.

    >
    > Also, do you have an /etc/ssh_known_hosts file?


    I'm just trying to figure out where it stores the info that you've
    accepted a key before or not. I was being prompted for keys that were in
    the known_hosts file.

    No I do not have an /etc/ssh_known_hosts file.

  6. Re: openssh known_hosts question

    Richard E. Silverman wrote:
    >>>>>> "Chuck" == Chuck writes:

    >
    > Chuck> How does openssh know whether you've accepted a server's key
    > Chuck> before so as not to ask the next time 'round?
    >
    > Chuck> I ran an ssh-keyscan against all servers in my known_hosts
    > Chuck> file, redirected the output to a new file and compared it the
    > Chuck> two files. They were the same so obviously it's not there. So
    > Chuck> where does it store that info?
    >
    > If you accept a key yourself as part of an SSH session, it's stored in
    > ~/.ssh/known_hosts. There is also a per-machine file,
    > /etc/ssh_known_hosts.
    >
    > Note that OpenSSH does not canonicalize names; it matches what you type on
    > the command line verbatim against the keys in the known_hosts file (aside
    > from the use of patterns in that file). So if you have an entry:
    >
    > foo.bar.com ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...
    >
    > and you type "ssh foo", they will not match. You can edit thus:
    >
    > foo.bar.com,foo ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...
    >
    > ... to fix this. Or, you can use Kerberos, which does canonicalize
    > names.
    >


    Thanks Richard. That's probably what happened. Is there a way to tell
    ssh-keyscan to include the hostname, FQDN, and IP address all in the
    first field?

  7. Re: openssh known_hosts question

    Chuck wrote:
    > Darren Dunham wrote:
    >> Darren Dunham wrote:
    >>> Chuck wrote:
    >>>> How does openssh know whether you've accepted a server's key before so
    >>>> as not to ask the next time 'round?

    >>
    >>> It puts the key in known_hosts.


    > I'm just trying to figure out where it stores the info that you've
    > accepted a key before or not. I was being prompted for keys that were in
    > the known_hosts file.


    Were the names of the hosts that you gave to ssh the same as the name in
    the known_hosts file? Two different names for the same server won't
    match.

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  8. Re: openssh known_hosts question

    Darren Dunham wrote:
    > Chuck wrote:
    >> Darren Dunham wrote:
    >>> Darren Dunham wrote:
    >>>> Chuck wrote:
    >>>>> How does openssh know whether you've accepted a server's key before so
    >>>>> as not to ask the next time 'round?
    >>>> It puts the key in known_hosts.

    >
    >> I'm just trying to figure out where it stores the info that you've
    >> accepted a key before or not. I was being prompted for keys that were in
    >> the known_hosts file.

    >
    > Were the names of the hosts that you gave to ssh the same as the name in
    > the known_hosts file? Two different names for the same server won't
    > match.
    >


    That's what I've found out. Once thing I want to accomplish from this
    exercise is to create a known_hosts file that can be distributed
    throught the entire network. I'm going to need to edit it to include the
    hostname, fqdn, and IP address on each line.

  9. Re: openssh known_hosts question

    >>>>> "Chuck" == Chuck writes:

    Chuck> Richard E. Silverman wrote:
    >>>>>>> "Chuck" == Chuck writes:

    >>

    Chuck> How does openssh know whether you've accepted a server's key
    Chuck> before so as not to ask the next time 'round?
    >>

    Chuck> I ran an ssh-keyscan against all servers in my known_hosts
    Chuck> file, redirected the output to a new file and compared it the
    Chuck> two files. They were the same so obviously it's not there. So
    Chuck> where does it store that info?
    >> If you accept a key yourself as part of an SSH session, it's
    >> stored in ~/.ssh/known_hosts. There is also a per-machine file,
    >> /etc/ssh_known_hosts.
    >>
    >> Note that OpenSSH does not canonicalize names; it matches what you
    >> type on the command line verbatim against the keys in the
    >> known_hosts file (aside from the use of patterns in that file). So
    >> if you have an entry:
    >>
    >> foo.bar.com ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...
    >>
    >> and you type "ssh foo", they will not match. You can edit thus:
    >>
    >> foo.bar.com,foo ssh-rsa AAAAB3NzaC1kc3MAAACBAMXXH+SzAIPRN38GehSA...
    >>
    >> ... to fix this. Or, you can use Kerberos, which does canonicalize
    >> names.
    >>


    Chuck> Thanks Richard. That's probably what happened. Is there a way
    Chuck> to tell ssh-keyscan to include the hostname, FQDN, and IP
    Chuck> address all in the first field?

    ssh-keyscan -t rsa foo,foo.bar.com,10.1.2.3
    # foo SSH-2.0-OpenSSH_3.8.1p1 Debian-krb5 3.8.1p1-7
    foo,foo.bar.com,10.1.2.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw00dWgXpeCpGfpPSJ8/xlfgSIINB8u1p3l65ck/solAECGxixh/yCBLRk8FL4Zsed8qAsI/YRaFPY3iZflrTZl9dtDAglL1QK2chi/HFQ1AqSlZrmfzaYV3dimEwWMm3jTcgb6Hnf3Ze1llilQHUFsEZ 32gwQpt0G4WyYtiQfJ0=


    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread