[BBLISA] Mac users ssh client and changing host keys
Bill Bogstad
bogstad at pobox.com
Fri Jan 24 12:08:41 EST 2014
On Fri, Jan 24, 2014 at 11:32 AM, Edward Ned Harvey (bblisa4)
<bblisa4 at nedharvey.com> wrote:
>> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Alex Aminoff
>> We plan to renumber all our IP space, which will cause saved ssh host
>> keys to become invalid.
>
> Now is the time to start using DNS. In fact, a long, long time ago was the time to start. If you were using DNS, you wouldn't have this problem. You can renumber to your heart's content, and ssh known_hosts will record "foobar.somedomain.org" as the host corresponding to that particular ssh server public key. Renumber away, no problem.
>
> If you're in the unfortunate situation of NOT using DNS, and for some reason the problem you care about is the IP address in the known_hosts file... Then just use sed on your known_hosts file to replace the old IP with the new IP.
I think the issue here might be the "CheckHostIP" option (defaults to
YES) for SSH clients. I think that SSH will still complain even if
there is a hostname based entry in the known_hosts file. You see
there might be a DNS spoofing attack taking place. So using/not
using DNS is irrelevant when you can't trust DNS.
BTW, if you have "HashKnownHosts" set as well, you can't directly use
sed as the hostnames/ip addrs are no longer stored as clear text in
the known_hosts file. It looks like you can use ssh-keygen with the
-H, -F, and possibly -R options to help find and/or
remove entries. Changing the entries rather than just removing them
looks like it would take some additional scripting though.
This web page on brute-forcing the known_hosts file might be of
interest as well;
http://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/
Good Luck,
Bill Bogstad
More information about the bblisa
mailing list