version 1.253, 2010/03/03 22:49:50 |
version 1.254, 2010/03/04 23:19:29 |
|
|
maintained automatically: whenever the user connects from an unknown host, |
maintained automatically: whenever the user connects from an unknown host, |
its key is added to the per-user file. |
its key is added to the per-user file. |
.Pp |
.Pp |
Each line in these files contains the following fields: hostnames, |
Each line in these files contains the following fields: markers (optional), |
bits, exponent, modulus, comment. |
hostnames, bits, exponent, modulus, comment. |
The fields are separated by spaces. |
The fields are separated by spaces. |
.Pp |
.Pp |
|
The marker is optional, but if it is present then it must be one of |
|
.Dq @cert-authority , |
|
to indicate that the line contains a certification authority (CA) key, |
|
or |
|
.Dq @revoked , |
|
to indicate that the key contained on the line is revoked and must not ever |
|
be accepted. |
|
Only one marker should be used on a key line. |
|
.Pp |
Hostnames is a comma-separated list of patterns |
Hostnames is a comma-separated list of patterns |
.Pf ( Ql * |
.Pf ( Ql * |
and |
and |
|
|
and empty lines are ignored as comments. |
and empty lines are ignored as comments. |
.Pp |
.Pp |
When performing host authentication, authentication is accepted if any |
When performing host authentication, authentication is accepted if any |
matching line has the proper key. |
matching line has the proper key; either one that matches exactly or, |
It is thus permissible (but not |
if the server has presented a certificate for authentication, the key |
|
of the certification authority that signed the certificate. |
|
For a key to be trusted as a certification authority, it must use the |
|
.Dq @cert-authority |
|
marker described above. |
|
.Pp |
|
The known hosts file also provides a facility to mark keys as revoked, |
|
for example when it is known that the associated private key has been |
|
stolen. |
|
Revoked keys are specified by including the |
|
.Dq @revoked |
|
marker at the beginning of the key line, and are never accepted for |
|
authentication or as certification authorities, but instead will |
|
produce a warning from |
|
.Xr ssh 1 |
|
when they are encountered. |
|
.Pp |
|
It is permissible (but not |
recommended) to have several lines or different host keys for the same |
recommended) to have several lines or different host keys for the same |
names. |
names. |
This will inevitably happen when short forms of host names |
This will inevitably happen when short forms of host names |
|
|
.Pp |
.Pp |
Note that the lines in these files are typically hundreds of characters |
Note that the lines in these files are typically hundreds of characters |
long, and you definitely don't want to type in the host keys by hand. |
long, and you definitely don't want to type in the host keys by hand. |
Rather, generate them by a script |
Rather, generate them by a script, |
|
.Xr ssh-keyscan 1 |
or by taking |
or by taking |
.Pa /etc/ssh/ssh_host_key.pub |
.Pa /etc/ssh/ssh_host_key.pub |
and adding the host names at the front. |
and adding the host names at the front. |
|
.Xr ssh-keygen 1 |
|
also offers some basic automated editing for |
|
.Pa ~/.ssh/known_hosts |
|
including removing hosts matching a host name and converting all host |
|
names to their hashed representations. |
.Pp |
.Pp |
An example ssh_known_hosts file: |
An example ssh_known_hosts file: |
.Bd -literal -offset 3n |
.Bd -literal -offset 3n |
|
|
# A hashed hostname |
# A hashed hostname |
|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
AAAA1234.....= |
AAAA1234.....= |
|
# A revoked key |
|
@revoked * ssh-rsa AAAAB5W... |
|
# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org |
|
@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... |
.Ed |
.Ed |
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds -compact |
.Bl -tag -width Ds -compact |