суббота, мая 19, 2012

Keeping known_hosts clean

I've recently was cleaning up stuff on my laptop and ~/.ssh/known_hosts got my attention. >100 records. Do I actually need them? I've went through the file and deleted all IP hosts. I do not remember what those hosts are for and if so it is ok with me to remove them.
Some hosts had both domain name and IP address:
foo.example.com,12.34.45.67  ssh-rsa ...
If I reference host with domain name, I do not want to track it's IP address. It's their own business. So I left only domain name for such hosts.
Also, it is ok to leave comments (starting with "#" mark) and blank lines in known_hosts file, so I grouped hosts, added comments and make it pretty.
Then I decided to test how it works. Connected to one of hosts that is referenced with a hostname in my known_hosts, and noticed that SSH put an extra record for that IP address. What? Again?

Googling showed that it following SSH option can help:
  "CheckHostIP no"  - I don't care about DNS spoofing as long as they key is valid.

CheckHostIP can be also handy in situation when you have host with dynamic IP and dynamic DNS entry. In this case you will get additional known_hosts file entry when you access this host and it's IP address have changed. To workaround this, you can set CheckHostIP option to this host only. In ~/.ssh/config write:

Host dynamic.example.com
CheckHostIP no