2005/7/3, Colin Watson <[EMAIL PROTECTED]>: > On Sun, Jul 03, 2005 at 03:28:15PM +0200, Bernd Eckenfels wrote: > > In article <[EMAIL PROTECTED]> you wrote: > > > That's true, and unavoidable in this scheme; but the use case (beyond > > > fastidiousness) for this is not clear to me. > > > > Well, how do you audit the files and purge stale entries. > > That comes under "fastidiousness" as far as I'm concerned: the only > benefits I see from bothering to do that are (a) negligible performance > differences and (b) hiding of old information, which HashKnownHosts > gives you anyway. I don't see how it's required for normal use. Joe User > is never going to garbage-collect his known_hosts file; heck, even I > have better things to do. The only time I've ever removed entries from > known_hosts is when I know that a specific host's key has changed, and > 'ssh-keygen -R' deals with that just fine.
One case I can think of is where you regularly ssh into a machine with a dynamic IP address. Maybe with or without a dyndns name. Depending on the size of the ISP and how often the address changes the known_hosts files could increase without bound. Even with a dyndns name, the known_hosts file has both the DNS name and the IP address. If you remove the hash based on DNS name, does it remove *all* known_hosts with IP addresses with the same public key? The documentation for -R quoted doesn't state either way. To be honest, I think it would be far more useful to timestamp each entry so you can simply expire old ones. Looking through my known_hosts file now I see lots of duplicate entries (same host, different names) and hosts which I only ever logged into once. As well as hosts that no longer exist or no longer accessable to me. With the names I guess, with hashes you're stuffed. I think I can confidently say that >80% of my known_hosts file is redundant but I can only tell by seeing the names/IP addresses... > (Of course, people with unusual requirements can always disable > HashKnownHosts, but I'm interested in a sane default.) Whether my situation is unusual or not I have no idea. This machine is about 5 years old and has been connected to a lot of networks and machines over its lifetime, each of which leaves a line or two in my known_hosts... I think if another way was provided to manage file growth it wouldn't be so much of an issue...
