Ssh – How to install known_host keys for ssh manually

ssh

I've got a secure transmission system where I'm pushing host keys to a database and I'm trying to install keys generated on a Ubuntu 15 machines and install them them on a SLES 11 machine and I'm trying to install keys generated on a Centos 7 machine on that Ubuntu 15 machine.

So, is there a common mechanism for each of these machines to install host keys, this is getting really confusing and I'm thinking I'm being a bit over scrupulous. Everything is supposed to be automated and I'm figured out a decent method for collecting the keys, I just don't know where the right place to put them on the machine

Here's a key on the centos machine:

[root@centos ~]# cat /etc/ssh/ssh_host_ecdsa_key.pub ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIl8BT33T4sEAgG56CItPWep/N3IKaUaw8Xy6Fn6k9SLsARi9zZk9FAd6H6DfbIxzkz1sjSjfq1JSVyd3slKf4M=

and here's what it looks like when I import it (via ssh manually accepting it) in my knownhosts on my ubuntu machine

root@ubuntu:/home# cat aaron/.ssh/known_hosts |1|F+Hr+T8eulEpFFFhwdJKdcOg6yQ=|yM/XLEkDPFUWO/g9vPOONBkRvtE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIl8BT33T4sEAgG56CItPWep/N3IKaUaw8Xy6Fn6k9SLsARi9zZk9FAd6H6DfbIxzkz1sjSjfq1JSVyd3slKf4M=

So, it looks like the first part is in the known_hosts file is something encrypted and on the SLES machines, that part is not encrypted, so it's a bit simpler.

So my questions are

How do I come up with that encrypted part so I can echo it in to the known_hosts file?
How do I know if a given linux system is expecting the first hunk to be encrypted?

Best Answer

Manual page for sshd describes format of the file:

SSH_KNOWN_HOSTS FILE FORMAT

The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host public keys for all known hosts. The global file should be prepared by the administrator (optional), and the per-user file is maintained automatically: whenever the user connects from an unknown host, its key is added to the per-user file.

Each line in these files contains the following fields: markers (optional), hostnames, bits, exponent, modulus, comment. The fields are separated by spaces.

[...]

Alternately, hostnames may be stored in a hashed form which hides host names and addresses should the file's contents be disclosed. Hashed hostnames start with a ‘|’ character. Only one hashed hostname may appear on a single line and none of the above negation or wildcard operators may be applied.

Except the part bits, exponent, modulus is now used together as public key. The hostname is hashed, but you can write it as a string and then run ssh-keygen over the file:

ssh-keygen -H [-f known_hosts_file]

for example ssh-keygen -H -f ~/.ssh/known_hosts

Related Solutions

Ssh – Advice for managing SSH keys

Generally you should not have more than 1 key per client machine (emphasis on "generally"). I'm not sure if I'm understanding your question properly, but if you're saying you have a separate key for every remote system, then you're definitely doing it wrong.

Ssh uses public key cryptography. The key you install on the remote system is the public key, there is absolutely no harm in reusing this key elsewhere. It's the private key that must be protected and remains on your personal system.

It's also a good idea to have the private key reside on only one client, not shared. This is so that if a client is compromised, you can revoke just that one key.

Now, if you're asking how you can get your public key out to hundreds of systems there are a couple ways of doing this.

The most common way is by using shared home directories. Have an NFS (or other network filesystem) mounted (or automounted) all all the systems.

The other way is to take advantage of a new feature in ssh. It's a configuration directive called AuthorizedKeysCommand. Basically it's a command that sshd will run every time it needs to look up a public key. The command simply writes the public key of the user being queried to it's STDOUT. This is primarily used when you don't have mounted home directories, but still have a central authentication server (FreeIPA takes advantage of this).

Of course you can do other things such as cron job rsync on /home from a central server. But that's not a common practice.

Ssh – Why does SSH add a known_host entry for an IP address

I think it's to make the CheckHostIP work.

If this flag is set to “yes”, ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to “no”, the check will not be executed. The default is “yes”.

You get slightly better diagnostics in case of a misconfiguration or attack with this option, but it doesn't actually improve security in any way that I can think of.

If you turn off CheckHostIP then SSH (as of OpenSSH 6.7p1) does not record the IP address when you connect to a new host by name. So add this to your .ssh/config:

CheckHostIP no

You can add it to a Host section if you only want to turn it off for a specific host (especially one with a dynamic IP address).

Best Answer

Related Solutions

Ssh – Advice for managing SSH keys

Ssh – Why does SSH add a known_host entry for an IP address

Related Question