6

It seems that every time I accept a new host key, ssh (I've tested 8.6p1 and 9.3p2) does the following steps:

  • Move the known_hosts file to known_hosts.old;
  • Create a new known_hosts file;
  • Copy the contents of known_hosts.old to known_hosts;
  • Add the new entry to the new known_hosts.

All well and good, except that, like many people, I've put my dotfiles under version control. The known_hosts file is a link to a file in my git repository. After all, if I've accepted a host key on my desktop, then I don't want to risk a MITM if I connect to the same host from my laptop. That's the whole point of the known_hosts file, after all.

The above procedure followed by ssh doesn't play nice: after I accept a new host, it's known_hosts.old which is a link to my version-controlled file, which never gets updated.

How do I tell ssh to please stop creating known_hosts.old and just edit known_hosts directly? I have no need for such a coarse backup method anyway - the file is already under version control. I've perused TFM but I didn't find any such option.

Improve this question
7
  • 1
    May be it would be simpler to add .ssh under version control? Commented Sep 15, 2023 at 15:35
  • @AlexeyTen It already is, that's the whole point of the question. Commented Sep 16, 2023 at 7:38
  • I believe Alexey meant not "all files symlinked to some other directory which is under version control" or even ".ssh is a symlink to some directory under version control", but "~/.ssh is a normal directory with standard structure composed of normal files which is itself under version control on its own". In this case, no files in it need to be symlinked to be under version control (exactly opposite is true, better not symlink anything into outside to have it version-controlled), and no problem like described will happen. At least, not with Git. Commented Sep 16, 2023 at 14:55
  • Upd: I think the O.P. better needs something like this Commented Sep 16, 2023 at 14:59
  • Actually, I've meant to symlink ~/.ssh to directory under version control. I have this configuration for years and it works perfectly. Commented Sep 17, 2023 at 10:49

2 Answers 2

Reset to default
2

Seems it is hardcoded in a source code, so one option is to rewrite it to suit your needs (not recommended).

Improve this answer
1
  • Thanks. That's an unfortunate decision by openssh devs. Commented Sep 16, 2023 at 18:33
-1

For me (macOS), the creation of the known_hosts.old file wasn't to do with having it known_hosts under version control in a git repository, it was a simple formatting issue of my .ssh/config file.

Original:

Host github.com Hostname ssh.github.com Port 443 User git AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519 IdentitiesOnly yes UserKnownHostsFile ~/.ssh/known_hosts

Fix:

Host github.com Hostname ssh.github.com Port 443 User git AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519 IdentitiesOnly yes UserKnownHostsFile ~/.ssh/known_hosts

After the adjustment, I deleted both the .ssh/known_hosts and .ssh/known_hosts.old and re-authenticated:

%ssh -T [email protected]
Improve this answer
2
  • There is no difference between the two config files besides indentation... Commented Jun 1, 2024 at 14:41
  • @N.I. That's correct, I listed multiple possible options that would need to be indented under Host, for varying configurations. This prevented the creation of known_hosts.old on macOS. Commented Jun 20, 2024 at 1:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.