|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
|||
Remove host key from .ssh/known_hosts file
While I was playing with the OpenBSD autoinstall(8) and reinstalled a couple of OpenBSD virtual machines a few times, I decided to do something about the following:
Code:
Normally I would something like Code:
I came up with a shell script called rm-known_hosts-key that does the same work : Code:
Code:
Code:
#!/bin/sh # j65nko - daemonforums.org # ISC license # # remove key from .ssh/known_hosts by line number # --- verify numeric argument/option nr=$(expr "$1" : '\([0-9][0-9]*$\)' ) if [ -z "$nr" ] ; then echo $0: echo Please specify a line number ... exit 1 fi FILE="${HOME}/.ssh/known_hosts" #HOME=/root # for testing error condition # -- see mktemp(1) printf "$0: Creating temp file : " TEMP=$(env TMPDIR=${HOME} mktemp) || { echo $0: Cannot create temp file ; exit 2 } echo ${TEMP} ls -l ${TEMP} cat <<END Showing line nr $1 ...... $(sed -ne "$1p" ${FILE}) Using sed(1) to copy all lines except line $1 to ${TEMP} ... $(sed -e "$1d" ${FILE} > ${TEMP}) Moving ${TEMP} to ${FILE} ... END # for testing error condition #HOME=/root #FILE="${HOME}/.ssh/known_hosts" mv ${TEMP} ${FILE} || { echo $0: could not move ${TEMP} to ${FILE} ! exit 3 } # --- end of script --- Another improvement could be to remove the temp file when an error occurs.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 21st December 2014 at 02:55 PM. Reason: Line number coloured in blue |
|
|||
Because I am consistently lazy I hardly have multiple entries for the same host. And it is not difficult, because the message explicitly mentions the line number:
Code:
Offending ECDSA key in /home/adriaan/.ssh/known_hosts:30 From ssh_config(5): Code:
HashKnownHosts Indicates that ssh(1) should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh(1) and sshd(8), but they do not reveal identifying information should the file's contents be disclosed. The default is ``no''. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen(1). Code:
Impossible to find with the eye ball method
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 21st December 2014 at 01:53 PM. |
|
||||
Thanks for the clear explanation, J65nko. I hadn't noticed the line number being in the error message, and wasn't familiar with the hashing option either. So your approach to the problem makes sense to me now.
For what it's worth, here's an alternate approach that occurred to me overnight. It wouldn't work with hashing turned on, but would remove multiple lines if applicable. First one could look up the relevant key in known_hosts, either using the line number or by supplying the host name or IP instead. Then one could remove all lines containing that key using grep -v (for example). Quote:
|
|
|||
perl -pi -e
or sed > tmpfile && tmpfile > origfile && rm tmpfile (Perl is part of OpenBSD base, unlike FreeBSD.) |
|
|||
Too much typing Actually I have a symlink called rmhk:
Code:
lrwxr-xr-x 1 adriaan adriaan 20 Dec 22 01:42 rmhk -> ./rm-known_hosts.key Code:
[adriaan@hercules]~: cat monkey line 1 line 2 line 3 line 4 [adriaan@hercules]~: ex monkey monkey: unmodified: line 4 :2d line 3 :x monkey: 3 lines, 21 characters [adriaan@hercules]~: cat monkey line 1 line 3 line 4
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Well, less typing than ibara on sed, but more on perl. (But I don't know perl, so, were I on my own, googling how to remove the line would have taken longer.)
To be more specific, I meant that I don't know if OpenBSD's version of sed is like Linux, where one can type sed -i without having to put the ' ' as one does in FreeBSD's version of sed, or not, but I hadn't thought of perl. Last edited by scottro; 22nd December 2014 at 02:24 AM. |
|
|||
OpenBSD sed(1) does not support the -i option at all
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Yesterday, when reading ssh-keygen(1) I noticed that this command has an option to remove a host from .ssh/known_hosts:
Code:
-R hostname Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts (see the -H option above). Code:
$ ssh kvm.utp.xnet @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The ECDSA host key for kvm.utp.xnet has changed, and the key for the corresponding IP address 192.168.222.230 is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is b1:5b:ee:26:25:e6:eb:a7:cd:26:8b:08:d4:53:ff:f5. Please contact your system administrator. Add correct host key in /home/adriaan/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/adriaan/.ssh/known_hosts:35 ECDSA host key for kvm.utp.xnet has changed and you have requested strict checking. Host key verification failed. $ ssh-keygen :Code:
$ ssh-keygen -R kvm.utp.xnet # Host kvm.utp.xnet found: line 35 type ECDSA /home/adriaan/.ssh/known_hosts updated. Original contents retained as /home/adriaan/.ssh/known_hosts.old
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
.ssh/known_hosts, known_hosts, ssh host key, ssh host key change |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to remove a word and everything after? | bigb89 | Programming | 7 | 31st August 2014 01:47 AM |
How total remove .core file during a dump? | aleunix | OpenBSD Packages and Ports | 3 | 20th May 2012 06:38 PM |
How to remove Gnome and X | Malakim | Solaris | 2 | 12th April 2009 12:10 PM |
Appending to file on remote host via SSH | splooge | Programming | 10 | 7th June 2008 10:23 PM |