| Summary: | ~/.ssh/known_hosts.d/* | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Josh Triplett <josh> | ||||
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | enhancement | CC: | djm, dtucker, simon, simon, vincent.fortier | ||||
| Priority: | P2 | ||||||
| Version: | 5.1p1 | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 3162 | ||||||
| Attachments: |
|
||||||
|
Description
Josh Triplett
2009-09-27 06:54:22 AEST
This might be possible, though the known_hosts code is already rather overcomplex (despite recent simplification) In any case, there would still need to be at least one regular known_hosts file specified to add keys too. (In reply to Damien Miller from comment #1) > This might be possible, though the known_hosts code is already > rather overcomplex (despite recent simplification) > > In any case, there would still need to be at least one regular > known_hosts file specified to add keys too. Right. For the initial pass, ssh would still always write new keys to .ssh/known_hosts, and only *read* from known_hosts.d; the user would manually split entries out into files in that directory. Any change to automatically write out split files could come later. Another idea is to support a @include directive in the known_hosts file. If I can add, I just came accross a clear case where this feature is lacking for me which forces me to redirect to /dev/null: I need to access multiple hosts from various management networks accross multiple locations. Management IP are often the same at every location making SSH to complain that another host exist. Currently my ssh config is similar to: Host *<domain>* ProxyCommand ssh username@jumpserver nc -q0 %h %p StrictHostKeyChecking no UserKnownHostsFile=/dev/null But having the ability to use something similar to the following wheras instead I am able to redirect to a per domain|host|whatever I whish such as: Host *<domain>* ProxyCommand ssh username@jumpserver nc -q0 %h %p StrictHostKeyChecking yes UserKnownHostsFile ~/ssh/known_hosts.d/<domain>|<hostname>|whatever Thnx in advance, from another happy OpenSSH user. Created attachment 3426 [details]
expand tokens and env vars in UserKnownHostsFile
With some recent work on percent-token expansions it should be relatively easy to add expansions to UserKnownHostsFile, allowing
UserKnownHostsFile ~/.ssh/known_hosts.d/%n
%n isn't ideal in the presence of a HostKeyAlias, so if this goes in I'd be adding a %k token for that.
(In reply to Vincent Fortier from comment #4) > Management IP are often the same at every > location making SSH to complain that another host exist. BTW you can turn that off with CheckHostIP=no and rely solely on the HostKeyAlias. I've just committed TOKEN expansion support for UserKnownHostsFile and the '%k' TOKEN for the HostKeyAlias. This combination should be an effective way to implement this in the config file should you want it. (In reply to Josh Triplett from comment #2) > Right. For the initial pass, ssh would still always write new keys > to .ssh/known_hosts, and only *read* from known_hosts.d; the user > would manually split entries out into files in that directory. Any > change to automatically write out split files could come later. Since UserKnownHostsFile takes multiple args but only writes to the first, you can now implement those semantics with: UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts2 ~/.ssh/known_hosts.d/%k If you move the %k one to the head of the list, you'll keep using the existing files for existing entries, but new entries will be written to ~/.ssh/known_hosts.d/ instead. That's awesome, thank you! Mass close of all bugs fixed in 8.4 release. |