#2047 "Community Services Infrastructure Standards, Security Policy" does not contains usage information for ssh_known_hosts
Closed: Fixed None Opened 10 years ago by till.

= phenomenon =


The current list of known fedora hosts can be found ssh_known_hosts for information on how to use this file please refer to Community Services Infrastructure Standards, Security Policy

But the "Community Services Infrastructure Standards, Security Policy" seems not to contain this information, e.g. a search for ssh_known_hosts reveals nothing.

= reason =

I don't know. Maybe it was not written or there is another document that covers this.

= recommendation =

Explain how this is meant to be used. I am not quite sure what is the best ways, afaik does SSH not support to have multiple ssh_known_hosts files except for a system one and a user one. So the only usable way is to manually copy the one entry one is interested manually into the users ssh_known_hosts file. From a end user POV it would be more helpful to have a compiled list of fingerprints, so that these could be directly compared with the one presented by the SSH client.

I'll work on this. AFAIK ssh does only allow a single 'global' file and a single per user ssh file. It's up to the user to determine where to put it, and it can be combined with already existing files.

The only problem is keeping up to date. I've got a cron job on my system that pulls in /etc/ssh/ssh_known_hosts regularly and I keep a per-user one for other items. I'll try to update and do a push out sometime in the next couple of weeks. A new publican version has caused me to have to make a few layout changes to CSI before I can do another build.

FYI: Here is now my setup to easily update the file. It also supports cleaning the known_hosts_files from RFC1918 IPs and hostnames not in the fedoraproject domain:


Another idea to use the Fedora known hosts file is to use this ssh_config / .ssh/config:

Host *.fedoraproject.org
GlobalKnownHostsfile /path/to/fedora-ssh-known-hosts

It does have info on this now. ;)

Login to comment on this ticket.