2742 – Improve -R option, allow to purge all similar keys

Bug 2742 - Improve -R option, allow to purge all similar keys

Summary: Improve -R option, allow to purge all similar keys

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-keygen (show other bugs)
Version:	7.2p2
Hardware:	All Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-07-12 01:29 AEST by Dirk StÃ¶cker
Modified:	2018-10-12 21:13 AEDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk StÃ¶cker 2017-07-12 01:29:47 AEST

When a server key changed openssh prints a warning that the key has changed and also prints a commandline to purge old key from known_hosts when the change is correct.

This commandline always only purges the key for the hostname you currently try.

But there usually are at least two entries - one for host and one for the IP. For dual stack there are at least 3. For dynamic IP there may be hundreds.

It's a lot of manual work to find all the other keys and purge them as well.

It would be very fine, if the -R command would simply ask if any key with the same key data should be purged as well (together with the number of entries). That would speed up the cleanup process a lot.

P.S. It would also be a good idea when I could tell SSH to don't make the automatic IP based entries for certain (dynamic IP) hosts.

Comment 1 Jakub Jelen 2017-07-18 19:20:04 AEST

> also prints a commandline to purge old key from known_hosts when the change is correct.

OpenSSH does not print that line. It is a Debian addition [1].

I don't think ssh-keygen should resolve the hostname to IP address and remove also that lines.


[1] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/mention-ssh-keygen-on-keychange.patch

Comment 2 Dirk StÃ¶cker 2017-07-18 19:59:20 AEST

> OpenSSH does not print that line. It is a Debian addition [1].

Seems openSUSE copied this patch. Maybe it should find its way into the official tool ;-)

> I don't think ssh-keygen should resolve the hostname to IP address and remove also that lines.

That's NOT what I proposed. This would not work always anyway (dynamic IPs again or otherwise changed IPs or switch from a dual stack network to a IPV4 or ...).

What I propose is to offer to delete all keys with "the same key data". As the host key changed any entry with the same key data very likely is obsolete as well. There may be cases when this is not true (e.g. different hosts using the same key), so it should be optional.

Comment 3 Herman van Rink 2018-10-12 21:13:08 AEDT

I'd also like to see this feature be added.

Matching on lines with the same key data should work and be straightforward.
 
+1 for making it optional ... although the only edge case I can think of 'different hosts using the same key' sounds like a bad practice.

I'm glad to have found this bug before creating a duplicate or asking on the mailing list.