home
projects
translations
articles
blog
cette page en français


2011 / 08 / 05

Updating known_hosts

Host keys

keys

Ssh uses host keys to prevent man-in-the-middle attacks. By default the host keys are generated when the Operating System is installed or, depending on the OS, if no key is present when sshd is restarted. There are different ways to manage host keys such as distributing a comprehensive known_hosts file and adding the fingerprints in DNS, but most sites use the default configuration.

The known_hosts file

The ssh client keeps a copy of the public host keys of machines it has already connected to in the known_hosts file. When it connects to a machine for the first time, it warns the user and prompts them to update the known_hosts file:

The authenticity of host 'servername (192.168.122.208)' can't be established. RSA key fingerprint is 1c:94:63:e6:c6:cd:c8:29:d2:2b:79:f0:30:48:ad:2c. Are you sure you want to continue connecting (yes/no)?

Also, it will not connect to a machine for which the host keys have been changed, and give a warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is f5:bc:7c:a8:36:fe:11:02:c5:8f:b5:db:2a:ee:26:54. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending RSA key in /root/.ssh/known_hosts:1 remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R servername RSA host key for servername has changed and you have requested strict checking. Host key verification failed.

When communication between machines needs to be automated, such as with MPI in a High-Performance Computing (HPC) cluster, this becomes a problem.

The "trust" script

one key
In a setting where:
  • passwordless ssh is needed
  • using "StrictHostKeyChecking no" is not an option
  • host keys are not managed
  • machines are rebuilt and new ones added on a regular basis
  • it can be guaranteed that the machines on the network have not been compromised, nor spoofed

Updating the known_hosts can be scripted. "trust" is a small script which will remove old keys and add the new ones in the known_hosts file for a given host. It can be used to refresh the key for one machine, or all the nodes:

cd /usr/local/bin wget http://projects.zioup.org/utilities/trust chmod +x trust for h in $(cat /etc/nodes) do trust $h done



Copyright Yves Dorfsman, 2011. Yves Dorfsman is an independant UNIX / Linux contractor in Calgary.