View Single Post
  #3   (View Single Post)  
Old 21st December 2014
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,506

Because I am consistently lazy I hardly have multiple entries for the same host. And it is not difficult, because the message explicitly mentions the line number:
Offending ECDSA key in /home/adriaan/.ssh/known_hosts:30
And finding the line with the eye ball method is impossible if you use HashKnownHosts in your .ssh/config.
From ssh_config(5):
             Indicates that ssh(1) should hash host names and addresses when
             they are added to ~/.ssh/known_hosts.  These hashed names may be
             used normally by ssh(1) and sshd(8), but they do not reveal
             identifying information should the file's contents be disclosed.
             The default is ``no''.  Note that existing names and addresses in
             known hosts files will not be converted automatically, but may be
             manually hashed using ssh-keygen(1).
$ tail -1 .ssh/known_hosts ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHKXuTGoeWZ1TwAN23cwZzGAfOqjw

$  ssh-keygen -H -f .ssh/known_hosts
.ssh/known_hosts updated.

Original contents retained as .ssh/known_hosts.old
WARNING: .ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames

$  tail -1 .ssh/known_hosts
|1|DsPj+qiYhGO06l1W5yJQ0+J0VyQ=|sgJdo5xHyq3ncwsD8JLffrMOzEo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAI
As you can see the IP address has now been hashed into |1|DsPj+qiYhGO06l1W5yJQ0+J0VyQ=|sgJdo5xHyq3ncwsD8J LffrMOzEo=
Impossible to find with the eye ball method
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 21st December 2014 at 01:53 PM.
Reply With Quote