[BBLISA] Mac users ssh client and changing host keys

Sean Lutner sean at rentul.net
Fri Jan 24 13:15:27 EST 2014 

On Jan 24, 2014, at 11:32 AM, Edward Ned Harvey (bblisa4) <bblisa4 at nedharvey.com> wrote:

>> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Alex Aminoff
>> 
>> What is the typical way a Mac user uses ssh? Do they use the
>> command-line ssh client that comes with the OS, or do they download some
>> app analogous to putty on windows?
> 
> I don't know a single person who uses an ssh client other than the built-in ssh.

I might be the minority, but I use SecureCRT almost exclusively. Saving, cloning and managing sessions is a very important bit of functionality particularly when your known_hosts file is > 2000 lines. I use iTerm2 for some purposes and almost never use the built in Terminal.App (it was too buggy in older releases and I've never gotten over that).

> 
> 
>> We plan to renumber all our IP space, which will cause saved ssh host
>> keys to become invalid. 
> 
> Now is the time to start using DNS.  In fact, a long, long time ago was the time to start.  If you were using DNS, you wouldn't have this problem.  You can renumber to your heart's content, and ssh known_hosts will record "foobar.somedomain.org" as the host corresponding to that particular ssh server public key.  Renumber away, no problem.

That's 100% false. The default behavior of the SSH client on any modern Unix/Linux variant is to check the IP of the remote host as well. It will be stored in the known_hosts file with the hostname,IP_address.

> 
> If you're in the unfortunate situation of NOT using DNS, and for some reason the problem you care about is the IP address in the known_hosts file...  Then just use sed on your known_hosts file to replace the old IP with the new IP.

The proper thing to do is to simple remove the entry from the known_hosts file and let the next connection regenerate the entry. In fact, that's all that needs to be done at all. Nothing needs to be done for key pairs on either side, just have clients remove the existing entries from their $HOME/.ssh/known_hosts file and be done with it. 

> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.bblisa.org/pipermail/bblisa/attachments/20140124/3926cafd/attachment.sig>

More information about the bblisa mailing list