Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IgnoreUserKnownHosts problem

438 views
Skip to first unread message

Cliff Meece

unread,
Oct 10, 2001, 12:13:05 PM10/10/01
to
Hi,
I'm using OPENssh 2.9p2 on Solaris 8 on both client and server. I
have SSH configured for HostBased Auth, and it works. I have written
some scripts that do key management, but I sometimes encounter
problems with users' known_host2 files. If I need to rebuild a host
or re-install SSH or genreate a new key, I run a script that rebuilds
my global ssh_known_hosts and ssh_known_hosts2 file and distributes it
out to my systems. However, if a user had previously connected to
ones of the machines that is rebuilt, they are asked about the key
mismatch, which is unacceptable, because I have a lot of scripted
process that require non-interactive sessions. I thought I could use:


IgnoreUserKnownHosts
Specifies whether sshd should ignore the user's
$HOME/.ssh/known_hosts during RhostsRSAAuthentication
or HostbasedAuthentication. The default is ``no''.

So I set this to 'yes' in the sshd_config file on both client and
server and restarted ssh.

It doesn't seem to do anything. When I connect to a machine, it will
still put the key in ~/.ssh/known_host2, and if I go in and manually
change this key so that it is incorrect and try to connect again, it
will give the familiar message:

root:admin00> ssh admin02
Warning: the RSA host key for 'admin02' differs from the key for the
IP address '149.191.25.44'
Matching host key in /usr/local/etc/ssh_known_hosts2:18
Offending key for IP in //.ssh/known_hosts2:2
Are you sure you want to continue connecting (yes/no)? no
Aborted by user!

Is there a way to get ssh to ignore the user's known_hosts file?

Richard E. Silverman

unread,
Oct 10, 2001, 12:31:33 PM10/10/01
to

Look again at the man page text you quoted. IgnoreUserKnownHosts tells
the *server* to consult only the global known-hosts list when verifying
the client's identity for hostbased authentication. Your error messages
are coming from the *client*, when it is authenticating the server's
identity. IgnoreUserKnownHosts has nothing to do with that.

Your real problem, is that you should not be replacing your host keys.
When you "rebuild a host or re-install SSH," you should not "generate a
new key." They are long-term identifiers for the hosts; once you've
created them, they get distributed, and you must preserve them or cause
problems for yourself and your users.

Of course, periodic or occasional replacement of host keys may be
necessary for security reasons, and that's a pain with the OpenSSH scheme.
PKI support such as that provided by the ssh.com product addresses this
problem. But you should definitely not be changing keys for the reasons
you cite.

--
Richard Silverman
sl...@shore.net

Markus Friedl

unread,
Oct 10, 2001, 2:16:53 PM10/10/01
to
you are confusing client and server.

the manpage talks about the server and
you talk about the client.

0 new messages