On 02/12/2014 02:59 PM, Brian wrote: > On Tue 11 Feb 2014 at 15:22:26 +0200, Lars Noodén wrote: > >> ssh-keygen -r checks the SSHFP record in DNS. Use grep or something to >> check known_hosts. For me, ssh-keygen -R does not remove all the >> dynamically generated host keys, however. I've not yet identified what >> confounds ssh-keygen. > > The -F option should tell you what is in known_hosts; the hostname can > be a name or an IP address. If > > ssh <name> > > is used two lines are entered into known_hosts and two invocations with > 'ssh-keygen -R' are needed to clear the file. With > > ssh <IP address> > > only one line is produced.
Running 'ssh-keygen -R' multiple times was one of the things I tried early on. 'ssh-keygen -F' finds nothing, but grep for the hostname finds one entry, and then the same key is found many times with different ip addresses. With the dynamic hostnames is that known_host appears to accumulate only one entry with the hostname and then uses the ip address alone for subsequent encounters of the same key. > Could this explain your observation? On this question, it appears that port plays a role. If the default port is used, then -F and -R find the hostname. If a non-standard port is used, then that has to be included in the search query. ssh-keygen -F foobar.example.com ssh-keygen -F [foobar.example.com]:1234 So -F and -R get only specific host+port combinations, not all keys. Regards, /Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fb7725.5050...@gmail.com