Find out how to take away or replace a single entry from the SSH known_hosts file
SSH holds fingerprints of your distant machines within the known_hosts file. Generally you may have to take away or replace a kind of entries. Jack Wallen exhibits you the way.
The SSH known_hosts file incorporates fingerprints (generated from the distant machines SSH key) of the identified machines you have logged into. If you happen to SSH right into a machine for the primary time, you may be requested if you wish to save that hosts’ fingerprint. Think about this file your private SSH certificates authority. One purpose this file is vital is that it’d forestall you from logging in to a distinct machine with the identical IP tackle. Say, for instance, somebody has compromised one of many servers in your community. You have beforehand logged in to that machine with SSH, however the hackers have re-directed the IP tackle to a different machine. Ought to that occur, and also you try to log into the machine with the identical IP tackle, SSH will fail due to a mismatch on the SSH keys.
SEE: Safety incident response coverage (TechRepublic Premium)
That is a little bit of an excessive instance, however it illustrates why known_hosts is vital. It additionally illustrates a purpose you may have to take away an entry from the file. Say, you have migrated your database server to a distinct IP. Your known_hosts file nonetheless has the important thing from the earlier IP, so if you attempt to log into the brand new IP tackle, SSH will complain. As an alternative of clearing out your complete known_hosts file, you may merely take away that one line.
Let me present you the way.
What you will want
To make this work, you will want a machine operating SSH with entries within the known_hosts file. That is it. Let’s make this occur.
Find out how to take away a single entry from known_hosts
Log in to the machine housing the known_hosts file. To illustrate the IP tackle related to the entry to be eliminated is 192.168.1.71. To take away that line we’ll use the ssh-keygen command like so:
ssh-keygen -f ~/.ssh/known_hosts -R 192.168.1.71
The entry related to 192.168.1.71 can be eliminated and a brand new backup copy of known_hosts can be saved as known_hosts_old. You possibly can check this by eradicating the entry after which logging again into 192.168.1.71. You ought to be requested if you wish to save the ECDSA key fingerprint for the distant host. If that occurs, congratulations! You have efficiently eliminated that single entry from known_hosts.
Find out how to replace an entry
To illustrate you’d fairly not take away the entry however, as an alternative, you’d merely prefer to replace one. You are able to do that with the ssh-keyscan command. Let’s replace the identical server on the 192.168.1.71 IP tackle with the command:
ssh-keyscan -t ecdsa 192.168.1.71 >> ~/.ssh/known_hosts
This time, if you go to log into that IP tackle, you will not be requested to avoid wasting the fingerprint, as a result of it is nonetheless there (solely it has been up to date).
And that is how one can simply take away or replace an entry within the SSH known_hosts file. Do not simply let that file turn out to be a rubbish dump of entries, as that would wind up being a safety subject.