home of the madduck/ blog/
Managing SSH's known\_hosts database

Yoe wonders how to manage SSH's known_hosts database.

Here is how I do it:

In ~/.ssh/config:

Host *
  StrictHostKeyChecking yes
  CheckHostIP yes
  [...]

[...]

Host wall | wall.madduck.net
  CheckHostIP no
  [...]

This causes SSH to refuse connections unless the host fingerprint is already in the known_hosts database. For the host wall, which has a dynamic IP, I don't bother checking the IP every time I connect.

To be able to connect to new hosts, or to hosts that I'll only use once or twice, I make use of two shell functions:

sshtmp () {
  ssh -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" "$@"
}

sshnew () {
  ssh -o "StrictHostKeyChecking no" "$@"
}

The first of the two effectively disables the known_hosts database and lets me connect to any host. The second function, sshnew, I use to connect to new hosts, which I would like to add to the known_hosts database.

This works alright. I would still much more prefer to be able to use something akin to ~/.ssh/known_hosts.d/ or another method that makes it easier to keep known_hosts synchronised across various hosts.

NP: Emerson, Lake & Palmer / Tarkus