Bug 2742

Summary: Improve -R option, allow to purge all similar keys
Product: Portable OpenSSH Reporter: Dirk Stöcker <mindrot>
Component: ssh-keygenAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: jjelen, rink
Priority: P5    
Version: 7.2p2   
Hardware: All   
OS: Linux   

Description Dirk Stöcker 2017-07-12 01:29:47 AEST 
When a server key changed openssh prints a warning that the key has changed and also prints a commandline to purge old key from known_hosts when the change is correct.

This commandline always only purges the key for the hostname you currently try.

But there usually are at least two entries - one for host and one for the IP. For dual stack there are at least 3. For dynamic IP there may be hundreds.

It's a lot of manual work to find all the other keys and purge them as well.

It would be very fine, if the -R command would simply ask if any key with the same key data should be purged as well (together with the number of entries). That would speed up the cleanup process a lot.

P.S. It would also be a good idea when I could tell SSH to don't make the automatic IP based entries for certain (dynamic IP) hosts.
Comment 1 Jakub Jelen 2017-07-18 19:20:04 AEST 
> also prints a commandline to purge old key from known_hosts when the change is correct.

OpenSSH does not print that line. It is a Debian addition [1].

I don't think ssh-keygen should resolve the hostname to IP address and remove also that lines.


[1] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/mention-ssh-keygen-on-keychange.patch
Comment 2 Dirk Stöcker 2017-07-18 19:59:20 AEST 
> OpenSSH does not print that line. It is a Debian addition [1].

Seems openSUSE copied this patch. Maybe it should find its way into the official tool ;-)

> I don't think ssh-keygen should resolve the hostname to IP address and remove also that lines.

That's NOT what I proposed. This would not work always anyway (dynamic IPs again or otherwise changed IPs or switch from a dual stack network to a IPV4 or ...).

What I propose is to offer to delete all keys with "the same key data". As the host key changed any entry with the same key data very likely is obsolete as well. There may be cases when this is not true (e.g. different hosts using the same key), so it should be optional.
Comment 3 Herman van Rink 2018-10-12 21:13:08 AEDT 
I'd also like to see this feature be added.

Matching on lines with the same key data should work and be straightforward.
 
+1 for making it optional ... although the only edge case I can think of 'different hosts using the same key' sounds like a bad practice.

I'm glad to have found this bug before creating a duplicate or asking on the mailing list.