You are not logged in.

Pages: 1

#1 2025-02-10 04:28:02

AtmIgn
Member
Registered: 2024-12-18
Posts: 7

Prevent certain hostkey types from being added to known_hosts

I have started some work to better managing my SSH keys and servers. As part of this effort, I'm trying to keep my known_hosts file manageable. I've transitioned every single server under my control to only accept ed25519 keys, meaning only ed25519 hostkeys get added to my known_hosts file for those servers, but servers outside my control still accept other key types, and those other key types still get added to my known_hosts file, despite me only ever using ed25519 to connect.

I tried adding

Host *
    HostKeyAlgorithms +ssh-ed25519
    PubkeyAcceptedKeyTypes +ssh-ed25519

into my ~/.ssh/config, but that still hasn't prevented the unwanted key types from being added to my known_hosts file. Every solution I found on the internet, and the man pages only shows how to completely disable adding all key types to known_hosts, but nothing about only adding the hostkey type corresponding to the key I'm using to log in.

Is there some clean way to achieve this?

Thank you

Offline

#2 2025-02-10 15:24:49

seth
Member
Registered: 2012-09-03
Posts: 61,632

Re: Prevent certain hostkey types from being added to known_hosts

man 5 ssh wrote:

PubkeyAcceptedAlgorithms
               Specifies  the  signature algorithms that will be used for public key authentication
               as a comma-separated list of patterns.  If the specified  list  begins  with  a  ‘+’
               character,  then  the algorithms after it will be appended to the default instead of
               replacing it.  If the specified list begins with a ‘-’ character, then the specified
               algorithms (including wildcards) will be removed from the default set instead of re‐
               placing them.  If the specified list begins with a ‘^’ character, then the specified
               algorithms will be placed at the head of the default set.  The default for this  op‐
               tion is:

but idk whether that has any impact on the known_hosts behavior.

You could frequently purge the file w/ sed, though?

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#3 2025-02-15 18:16:04

AtmIgn
Member
Registered: 2024-12-18
Posts: 7

Re: Prevent certain hostkey types from being added to known_hosts

Yeah, sed was the first thing that same to mind, but I was hoping there was an option that prevents the irrelevant hostkey types from being added in the first place.

Offline

#4 2025-02-15 21:42:07

seth
Member
Registered: 2012-09-03
Posts: 61,632

Re: Prevent certain hostkey types from being added to known_hosts

ANd what if you actially limit the accepted algos?

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

Pages: 1

Board footer

Powered by FluxBB