Garrett: We need better support for SSH host certificates

Posted Mar 25, 2023 23:44 UTC (Sat) by ABCD (subscriber, #53650)
In reply to: Garrett: We need better support for SSH host certificates by songmaster
Parent article: Garrett: We need better support for SSH host certificates

It appears you can use ssh-keygen -R hostname to remove all keys belonging to the specified hostname from known_hosts. The man page notes that this option is useful to delete hashed hosts.

Garrett: We need better support for SSH host certificates

Posted Mar 26, 2023 0:51 UTC (Sun) by songmaster (subscriber, #1748) [Link] (2 responses)

Yes, but the secondary entries I was also deleting only had an IP address in them, no hostname. That command only deleted the primary entry for github.com (I tried it).

What would be needed is a command that finds all the public host keys in the file that match the key of the named host, and deletes them too.

Garrett: We need better support for SSH host certificates

Posted Mar 26, 2023 13:21 UTC (Sun) by Smon (guest, #104795) [Link]

Also this command removes the (still valid) ed25519 keys.

Garrett: We need better support for SSH host certificates

Posted Mar 26, 2023 13:45 UTC (Sun) by apoelstra (subscriber, #75205) [Link]

I had the same issue - I opened my ~/.ssh/known_hosts in vim and searched for the key itself rather than github (just guessing that it would show up under multiple addresses). Indeed I saw several IP addresses -- which I had no idea when/where they'd come from, until reading your comments here -- which I deleted since there was no way they were good anymore with a compromised key.

From a user POV this part of things was pretty bad.