removing outdated ssh fingerprints from known_hosts with sed or … ssh-keygen

At least from the last issue in Debian-based systems including Ubuntu you might know the pain of getting the message from you ssh client that the server host key has changed as ssh stores the fingerprint of ssh daemons it connects to. Actually this is a neat feature because it helps you detecting man in the middle attacks, dns issues and other things you probably should notice.

Until recently I opened the file .ssh/known_hosts in vim, deleted the entry, saved the file and started over again. I randomly checked „man ssh“ which gives you a lot of hints about the usage of known_hosts but I just did not find information about how to delete an old fingerprint or even overwrite it. I imagined something like „ssh –update-fingerpring hostname“ with an interactive yes/no question you cannot skip. There is the setting „StrictHostKeyChecking“ that might get you out of the fingerprint-has-changed-trouble but it does not solve the real problem as you want those checks.

So after hanging around with Mnemonikk discussing this he pointed out a very simple method with „sed“ that is really handy and helps you understanding sed more deeply. You can advise „sed“ to run a command on a specific line. So have a look at this session:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ssh secrethost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
[...]
Offending key in /home/ccm/.ssh/known_hosts:46
[...]
Host key verification failed.
$ sed -i "46 d" .ssh/known_hosts
$ ssh secrethost
The authenticity of host 'secrethost (1.2.3.4)' can't be established.
RSA key fingerprint is ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab.
Are you sure you want to continue connecting (yes/no)?

We just took the line number 46 which ssh complains about and run in in-place-editing mode (-i) with the command run on line 46 the command delete (d). That was easy, wasn’t it? Small lesson learned about sed. Thank you Mnemonikk (he is currently working on a screencast about screen if you let me leak some information here :).

But to be honest I’s still looking for the „official“ method the delete a key from known_hosts. Therefore I browsed through the man pages and finally found what I was looking for in „man ssh-keygen“. Yes, definitely zero points for usability as deleting with a tool named „generator“ is confusing but it works, however. You can advice ssh-keygen to delete (-R) fingerprints for a hostname which helps you when you turned hashed hostnames on in you known_hosts:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ ssh secrethost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[...]
Offending key in /home/ccm/.ssh/known_hosts:63
[...]
Host key verification failed.
[ccm@hasung:255:/etc/ssh]$ ssh-keygen -R secrethost
/home/ccm/.ssh/known_hosts updated.
Original contents retained as /home/ccm/.ssh/known_hosts.old
[ccm@hasung:0:/etc/ssh]$ ssh secrethost
The authenticity of host 'secrethost (1.2.3.4)' can't be established.
RSA key fingerprint is ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab.
Are you sure you want to continue connecting (yes/no)?

So „ssh-keygen -R hostname“ is a nice syntax as you even do not have to provide the file name and path for known_hosts and it works with hashed names. Nevertheless I’ll also use the sed syntax – keep it trained it’ll help you in other cases also.

17 Gedanken zu “removing outdated ssh fingerprints from known_hosts with sed or … ssh-keygen

  1. Thanks a million for this — it has bugged me for so long not having an easy way for this.

    The line number thing was always ambiguous .. are they counting zero up or 1-up?

  2. @John: It counts human-friendly beginning from „1“. It is therefore compatible to sed and common editors showing line numbers.

  3. I think:

    ssh-keygen -R localhost

    at line 9 in your second example should read:

    ssh-keygen -R secrethost

    instead.

  4. Thanks! With the whole open SSL weak key issue, this is just what I needed after applying updates!

  5. thanks a lot man… believe it or not this has been bugging me for a years. but editing it with vim was always the quickest way… until now…

  6. Kudos for the use of sed! Some lightweight implementations of ssh like dropbear do not have utilities for key management, so the use of core-utils or busybox applets like sed are essential skills for many system administrators. Thanks for the article.

    — Carl

  7. If you using Openshh on Windows. The „know_host“ files is at:
    C:\Document and Settings\“User“\.ssh
    notice I put „User“ Where computer user should be.
    once in „.ssh“ you will see „know_host“
    you can open „know_host“ with Wordpad just right click ->open with ->choose „Wordpad“

  8. Nice idea.

    I usually do a

    „vi .ssh/known_hosts +46“

    if I got the message. vi will jump to the line 46 already and I press dd, then save.

    Alex

  9. Thank You it was getting complicated bouncing back to xp ptty, then back to Ubuntu Firewall builder! (Saving Grace) Thank You Jeeezzzzzz

  10. Thank a lot. I never knew there was a command like this, until one of my colleagues hinted about such a command and Google landed me on your page.

  11. Pingback: removing outdated ssh-keys | dannyn08

  12. I have this file on the remote host as ~/bin/log#!/bin/bash -LOGFILE=“~/repo/log“if [ „$1“ ]; then grep „$1″ $LOGFILEelse echo -n ‚make entry ‚ read case $REPLY in “) cat $LOGFILE;; *) echo $(date ‚+%F %T‘) $REPLY >> $LOGFILE;; esfixieact 0Then, on each host I sit at, I havealias log=’ssh remote_host_address „bin/log“‚So if I don’t enter any text, I get the file’s contentsand if I do enter text it is time stamped and saved.If I type log „searchterm“ I get all the lines containing searchtermP.S. Too bad code can’t be offset to retain indentation

Schreib einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *