On Fri, Jan 24, 2014 at 11:32 AM, Edward Ned Harvey (bblisa4) <[email protected]> wrote: >> From: bblisa [mailto:[email protected]] On Behalf Of Alex Aminoff
>> We plan to renumber all our IP space, which will cause saved ssh host >> keys to become invalid. > > Now is the time to start using DNS. In fact, a long, long time ago was the > time to start. If you were using DNS, you wouldn't have this problem. You > can renumber to your heart's content, and ssh known_hosts will record > "foobar.somedomain.org" as the host corresponding to that particular ssh > server public key. Renumber away, no problem. > > If you're in the unfortunate situation of NOT using DNS, and for some reason > the problem you care about is the IP address in the known_hosts file... Then > just use sed on your known_hosts file to replace the old IP with the new IP. I think the issue here might be the "CheckHostIP" option (defaults to YES) for SSH clients. I think that SSH will still complain even if there is a hostname based entry in the known_hosts file. You see there might be a DNS spoofing attack taking place. So using/not using DNS is irrelevant when you can't trust DNS. BTW, if you have "HashKnownHosts" set as well, you can't directly use sed as the hostnames/ip addrs are no longer stored as clear text in the known_hosts file. It looks like you can use ssh-keygen with the -H, -F, and possibly -R options to help find and/or remove entries. Changing the entries rather than just removing them looks like it would take some additional scripting though. This web page on brute-forcing the known_hosts file might be of interest as well; http://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/ Good Luck, Bill Bogstad _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
