Ssh-keygen in centos 5.6
Ssh-keygen in centos 5.6
removing outdated ssh fingerprints from known_hosts with sed or ssh-keygen.
At least from the last issue in Debian-based systems including Ubuntu you might know the pain of getting the message from you ssh client that the server host key has changed as ssh stores the fingerprint of ssh daemons it connects to. Actually this is a neat feature because it helps you detecting man in the middle attacks, dns issues and other things you probably should notice.
Until recently I opened the file in vim, deleted the entry, saved the file and started over again. I randomly checked man ssh which gives you a lot of hints about the usage of known_hosts but I just did not find information about how to delete an old fingerprint or even overwrite it. I imagined something like ssh update-fingerpring hostname with an interactive yes/no question you cannot skip. There is the setting StrictHostKeyChecking that might get you out of the fingerprint-has-changed-trouble but it does not solve the real problem as you want those checks.
So after hanging around with Mnemonikk discussing this he pointed out a very simple method with sed that is really handy and helps you understanding sed more deeply. You can advise sed to run a command on a specific line. So have a look at this session.
We just took the line number 46 which ssh complains about and run in in-place-editing mode (-i) with the command run on line 46 the command delete (d). That was easy, wasn t it? Small lesson learned about sed. Thank you Mnemonikk (he is currently working on a screencast about screen if you let me leak some information here.
But to be honest I s still looking for the official method the delete a key from known_hosts. Therefore I browsed through the man pages and finally found what I was looking for in man ssh-keygen . Yes, definitely zero points for usability as deleting with a tool named generator is confusing but it works, however. You can advice ssh-keygen to delete (-R) fingerprints for a hostname which helps you when you turned hashed hostnames on in you known_hosts.
So ssh-keygen -R hostname is a nice syntax as you even do not have to provide the file name and path for known_hosts and it works with hashed names. Nevertheless I ll also use the sed syntax keep it trained it ll help you in other cases also.
17 Gedanken zu removing outdated ssh fingerprints from known_hosts with sed or ssh-keygen.
Thanks a million for this it has bugged me for so long not having an easy way for this.
The line number thing was always ambiguous. are they counting zero up or 1-up.
@John: It counts human-friendly beginning from 1 . It is therefore compatible to sed and common editors showing line numbers.