Chapter 4. Installation and Compile-Time
4.1.6 Creating the Serverwide Known-Hosts File
After configuring and installing SSH1 on a host, it's time to create a machinewide known hosts file. [Section 2.3.1] Normally /etc/ssh_known_hosts, this file contains the public host keys of all hosts in the local domain or remote hosts that people in this domain connect to frequently via SSH1. For example, the known hosts file on myhost.example.com likely contains the host keys of all machines in the example.com domain and perhaps others.
You can get by without populating this file, if the SSH client is configured to add new host keys to users' personal known_hosts files. [Section 7.4.3.1] However, it's better to fill the central file with as many common hosts as possible, for these reasons:
TE AM FL Y
Team-Fly®
• It makes users' lives easier, avoiding the various prompts for adding keys.
• It's more secure. When you accept a key for a new SSH server, you are open to man-in- the-middle attacks. [Section 3.10.4] If the remote host key is known in advance, and an intruder tries to masquerade as a remote host, the SSH client will detect the fake host key.
The known-hosts file is required for trusted-host authentication. [Section 3.4.2.3] Only users connecting from hosts whose keys appear in the file may be authenticated by this method.
You can collect all the host keys by hand while or after you install SSH on your hosts. But if you have a large number of hosts, SSH1 comes with a utility to help with task: make-ssh-known-hosts.
This Perl script queries the Domain Name Service (DNS) to find all hostnames in the local domain, and connects to them using SSH to obtain their host keys. The keys are then written to standard output as a list ready for inclusion in the known-hosts file.
In its simplest form, the program is invoked with one argument, the name of the local domain:
# SSH1 only
$ make-ssh-known-hosts example.com > /etc/ssh_known_hosts
make-ssh-known-hosts has quite a few command-line flags for tailoring its behavior. [Section 4.1.6.1] In addition, you may limit which machines are queried by providing Perl-style regular expressions as arguments following the domain name. For example, to print the host keys of all hosts in example.com whose names begin with z:
$ make-ssh-known-hosts example.com '^z'
A second regular expression argument performs the opposite task: it excludes the keys of hosts that match the regular expression. You can extend the previous example to exclude hosts ending in x:
$ make-ssh-known-hosts example.com '^z' 'x$' Just for fun, here's a command that produces no host keys at all:
$ make-ssh-known-hosts example.com mymachine mymachine because it includes and excludes the same string.
4.1.6.1 make-ssh-known-hosts command-line flags
Each flag may appear in two forms, both of which we present in the discussion that follows:
• A full word preceded by a double-dash, such as —passwordtimeout
• An abbreviated form with a single dash, such as -pa The following flags are related to program locations:
—nslookup (-n) path
Inform the script of the full path to nslookup, a program to make DNS queries. The default is to locate nslookup in the shell's current search path.
—ssh (-ss) path
101
Inform the script of the full path to the SSH client. You may also provide command-line options to ssh here. The default is to locate ssh in the shell's current search path.
These flags are related to timeouts:
—passwordtimeout (-pa) timeout
How long to wait for the user to type a password, in seconds. The default is not to prompt for passwords. A value of means prompt for a password with timeouts disabled.
—pingtimeout (-pi) timeout
How long to wait for a ping response from a host's SSH port, in seconds. The default is 3 seconds.
—timeout (-ti) timeout
How long to wait for an SSH command to complete, in seconds. The default is 60 seconds.
Here are flags related to domain information:
—initialdns (-i) nameserver
Initial nameserver to query; otherwise, uses the resolver list. The first query is for the zone SOA record of the domain argument to make-ssh-known-hosts. It then does a zone transfer from the master nameserver listed in the SOA record.
—server (-se)nameserver
If this is given, skip the SOA record lookup and immediately do the zone transfer from this nameserver.
—subdomains (-su ) domain1,domain2,...
Normally, make-ssh-known-hosts includes aliases for each host using all domain-name abbreviations starting from the leftmost label and moving to the right, except for the second-to-last one. So for example, host foo.bar.baz. geewhiz.edu gets these names:
foo foo.bar foo.bar.baz
foo.bar.baz.geewhiz.edu
This option allows you to pick a subset of these subdomains to be included, instead of all of them.
—domainnamesplit (-do)
Create aliases for each host key in the output by splitting the domain name into prefixes.
For example, domain name a.b.c is split into the prefixes a, a.b, and a.b.c, and each prefix is appended to each hostname to create an alias.
—norecursive (-nor)
Obtain keys only for the domain listed and not (recursively) its subdomains. The default is to examine subdomains.
These are flags related to output and debugging:
—debug (-de) level
Specify a nonnegative integer debugging level. The higher the level, the more debugging output is produced. The default is 5. At press time, the highest level used within make- ssh-known-hosts is 80.
—silent (-si)
Don't ring the terminal bell. The default is to make noise.
—keyscan (-k)
Print results in an alternative format used by ssh-keyscan, a program for gathering SSH public keys. ssh-keyscan is a separate piece of software, not part of SSH1. [Section 13.4]
Finally, this flag is related to failure recovery:
—notrustdaemon (-notr)
make-ssh-known-hosts invokes ssh host cat /etc/ssh_host_key.pub to obtain a host's public key. If that command fails for some reason (e.g., the key file is elsewhere), SSH may still have gotten the key via the SSH protocol and stored it in the user's ~/.ssh/known_hosts file. Normally, make-ssh-known-hosts uses that key; with —notrustdaemon, the key is included but commented out.