Posted by dandriff on Sunday December 03, 2006@12:01PM
Playing around with SSH today, I discovered something which I had never seen any documentation of prior to today. You can use wildcards in the .ssh/known_hosts file to keep it from making a new entry everytime you login via SSH to a remote machine which uses a dynamic ip address.
Situation/Scenario: You want to enable automated authentication for SSH sessions to another machine, but that machine uses a dynamic ip. You have already setup a dynamic dns service for it.
For example, if 'thatmachine.example.com' is the one using a dynamic ip, you could do:
my_user:~> ssh The authenticity of host 'thatmachine.example.com (32.202.200.108)' can't be established. RSA key fingerprint is a7:a5:a9:4c:f4:af:d3:1d:15:c8:94:b3:2b:ac:f6:1c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'thatmachine.example.com,32.202.200.108' (RSA) to the list of known hosts. Linux thatmachine 2.6.8-3-386 #1 Thu Sep 7 05:39:52 UTC 2006 i686 GNU/Linux The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. Last login: Sun Dec 3 11:21:22 2006 from static-37-28-116-100.dsl.net37.covad.net
This will add an entry to your .ssh/known_hosts file which looks something like this:
thatmachine.example.com,32.202.200.108 ssh-rsa PDBZB3NqaD0yc2EjMjMBIwjMPIEPxJKZwDCSLd2BGOdXCRceiSEYKrIBjMjLQiSijfpRNbBEESOH3LB7mMxHjPHOgjFm3R0TPKRlFQltpyCYsNrsragHxgT3EQlcCjhneIxBahQ04HPvXG/T3O1JUFYNaNjDMZsuv+buzr3GZBfsGEh1JUqMzW3/5tIBzD4OWaf75GA=
This is great, until thatmachine.example.com gets assigned a new ip. Ultimately what will happen is that a new entry is added to known_hosts everytime you connect to the remote machine and it has a different ip. At this point it occurred to me that it would be really nice if you could put wildcards into the ip address portion of the entry. I searched google and found that this was actually supported! Apparently, it is also intended to prevent constant interactive Y/n questions.
So I edited the known_hosts file so that it looks like this:
thatmachine.example.com,32.202.* ssh-rsa PDBZB3NqaD0yc2EjMjMBIwjMPIEPxJKZwDCSLd2BGOdXCRceiSEYKrIBjMjLQiSijfpRNbBEESOH3LB7mMxHjPHOgjFm3R0TPKRlFQltpyCYsNrsragHxgT3EQlcCjhneIxBahQ04HPvXG/T3O1JUFYNaNjDMZsuv+buzr3GZBfsGEh1JUqMzW3/5tIBzD4OWaf75GA=
And it has been working great! There have been no more interactive yes/no prompts or redundant entries added to my known_hosts file. Just think of all the diskspace I'll save..
I have confirmed this to be working with the following versions of OpenSSH on both OpenSuSE 10.1 and Debian Sarge
OpenSSH Versions:
_Keywords_: