SSH host key rotation – known_hosts not updated

Question

I created new host keys on serverA, updated sshd_config accordingly (adding the line below) and restarted ssh:

cd /etc/ssh sudo ssh-keygen -f 2024_ssh_host_ed25519_key -t ed25519 -N '' sudo vi /etc/ssh/sshd_config # added line: HostKey /etc/ssh/2024_ssh_host_ed25519_key sudo service ssh restart 

When I connect to serverA (ssh -v -o UpdateHostKeys=yes serverA) afterwards, known_hosts on the client is not updated. The output of the ssh command contains this:

debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key. # ... debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts for [serverA.domain.internal]:22 / (none) debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts2 for [serverA.domain.internal]:22 / (none) debug1: client_input_hostkeys: hostkeys file /Users/snafu/.ssh/known_hosts2 does not exist debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update 

The old host key(s) are obviously present in known_hosts – but why would that prevent the update?

If I comment out the old host keys in /etc/ssh/sshd_config, the host presents only the new key (as expected), and the client refuses it (as expected).

Answer 1

Damien Miller helped me solve the problem: Increasing the verbosity (ssh -vvv -o UpdateHostKeys=yes serverA) revealed a known_hosts entry linked to serverA's IP address (I had forgotten that I had connected to it by IP address at some point). Deleting this entry solved the problem; the new host key was stored in known_hosts when I connected to serverA again.