I'd really like the ability to have multiple known_hosts files. This would greatly simplify the ability to share these files between systems using various secure methods, such as keeping them in my home directory's git repository. Ideally, I'd suggest reading all files in ~/.ssh/known_hosts.d/* by default, in addition to ~/.ssh/known_hosts. Alternatively, various approaches for allowing configuration of multiple known_hosts files might work; however, I don't know that it makes sense to support arbitrary files. I'd suggest continuing to write entries to ~/.ssh/known_hosts, at least by default. Users could populate ~/.ssh/known_hosts.d/* manually. Eventually it might make sense to write out individual files to ~/.ssh/known_hosts.d/ , but that doesn't seem necessary initially. Thank you from a happy OpenSSH user.
This might be possible, though the known_hosts code is already rather overcomplex (despite recent simplification) In any case, there would still need to be at least one regular known_hosts file specified to add keys too.
(In reply to Damien Miller from comment #1) > This might be possible, though the known_hosts code is already > rather overcomplex (despite recent simplification) > > In any case, there would still need to be at least one regular > known_hosts file specified to add keys too. Right. For the initial pass, ssh would still always write new keys to .ssh/known_hosts, and only *read* from known_hosts.d; the user would manually split entries out into files in that directory. Any change to automatically write out split files could come later.
Another idea is to support a @include directive in the known_hosts file.
If I can add, I just came accross a clear case where this feature is lacking for me which forces me to redirect to /dev/null: I need to access multiple hosts from various management networks accross multiple locations. Management IP are often the same at every location making SSH to complain that another host exist. Currently my ssh config is similar to: Host *<domain>* ProxyCommand ssh username@jumpserver nc -q0 %h %p StrictHostKeyChecking no UserKnownHostsFile=/dev/null But having the ability to use something similar to the following wheras instead I am able to redirect to a per domain|host|whatever I whish such as: Host *<domain>* ProxyCommand ssh username@jumpserver nc -q0 %h %p StrictHostKeyChecking yes UserKnownHostsFile ~/ssh/known_hosts.d/<domain>|<hostname>|whatever Thnx in advance, from another happy OpenSSH user.
Created attachment 3426 [details] expand tokens and env vars in UserKnownHostsFile With some recent work on percent-token expansions it should be relatively easy to add expansions to UserKnownHostsFile, allowing UserKnownHostsFile ~/.ssh/known_hosts.d/%n %n isn't ideal in the presence of a HostKeyAlias, so if this goes in I'd be adding a %k token for that.
(In reply to Vincent Fortier from comment #4) > Management IP are often the same at every > location making SSH to complain that another host exist. BTW you can turn that off with CheckHostIP=no and rely solely on the HostKeyAlias.
I've just committed TOKEN expansion support for UserKnownHostsFile and the '%k' TOKEN for the HostKeyAlias. This combination should be an effective way to implement this in the config file should you want it. (In reply to Josh Triplett from comment #2) > Right. For the initial pass, ssh would still always write new keys > to .ssh/known_hosts, and only *read* from known_hosts.d; the user > would manually split entries out into files in that directory. Any > change to automatically write out split files could come later. Since UserKnownHostsFile takes multiple args but only writes to the first, you can now implement those semantics with: UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts2 ~/.ssh/known_hosts.d/%k If you move the %k one to the head of the list, you'll keep using the existing files for existing entries, but new entries will be written to ~/.ssh/known_hosts.d/ instead.
That's awesome, thank you!
Mass close of all bugs fixed in 8.4 release.