Start Updating knownhosts

Updating knownhosts

Features: Notes for Geeks: the c URL Manager was programmed with Visual Basic. And yes, the Webmaster wrote and performed the music in the video.

[email protected]:~$ ssh-keyscan -t rsa -H # SSH-2.0-conker_1.0.257-ce87fba app-128 |1|yr6p7i8doy Lh Dtrrn WDk7m9QVXk=|Lu KNg9gype Dhf Ro/Av LTAlxny Qw= ssh-rsa AAAAB3Nza C1yc2EAAAABIw AAAQEAubi N81e Dcafrg Me Lza FPsw2k Nv Ecq TKl/Vq Lat/Ma B33p Zy0y3r JZtnqw R2q OOvbw KZYKi EO1O6Vq NEBx Kv JJel Cq0d TXWT5pb O2g DXC6h6QDXCa Ho6p OHGPUy YBa GQRGu Sus MEASYi Wun YN0v CAI8Qa Xn WMXNMd FP3j HAJH0e Dsoi Gn LPBl Bp4TNm6r YI74n Mzgz3B9Iik W4WVK dc8KZJZWYj Au ORU3jc1c/NPsk D2ASinf8v3xnf Xeuk U0s J5N6m5E8VLj Ob PEO m N2t/FZTMZLi Fq PWc/ALSqn Mnnhwr Ni2rbfg/rd/Ip L8Le3p SBne8 see FVBo Gqz HM9y Xw== " convention.

As I've done my best to obtain untainted data to be used to identify a "host" and trust, I will add this identification to my known_hosts file in my ~/directory.

= '' changed_when: False - name: fetch remote ssh key command: ssh-keyscan -T5 register: keyscan failed_when: !

= 0 or keyscan.stdout == '' changed_when: False when: == 1 - name: add ssh-key to local known_hosts lineinfile: name: ~/.ssh/known_hosts create: yes line: "" when: == 1 with_items: '' , pointing to that file, to ensure that you're connecting to the host you believe you should be connecting to.

I'd really like to avoid having to use Expect or whatever to answer the interactive prompt if I can.

--- # ansible playbook that adds ssh fingerprints to known_hosts - hosts: all connection: local gather_facts: no tasks: - command: /usr/bin/ssh-keyscan -T 10 register: keyscan - lineinfile: name=~/.ssh/known_hosts create=yes line= with_items: '' [email protected]:~$ git clone [email protected]:viperks/Cloning into 'viperks-api'...

[email protected]:~$ nmap --script ssh-hostkey Starting Nmap 7.01 ( https://) at 2016-10-05 EDT Nmap scan report for (104.192.143.3) Host is up (0.032s latency).

Other addresses for (not scanned): 104.192.143.2 104.192.143.1 2401:1d10::150 Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 1024 35:ee:d7:b8:ef:d:e2:c:9e:ab:40:6f: (DSA) |_ 2048 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa::7c:40 (RSA) 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 42.42 seconds First, install nmap on your daily driver. I'm either compromised at the multiple places and machines I've checked it-- or the more plausible explanation of everything being hunky dory is what is happening.

nmap is highly helpful for certain things, like detecting open ports and this-- manually verifying SSH fingerprints. That 'fingerprint' is just a string shortened with a one way algorithm for our human convenience at the risk of more than one string resolving into the same fingerprint. Regardless, back to the original string which we can see in context below.

[email protected]:~$ ssh-keyscan # SSH-2.0-conker_1.0.257-ce87fba app-128 no hostkey alg # SSH-2.0-conker_1.0.257-ce87fba app-129 ssh-rsa AAAAB3Nza C1yc2EAAAABIw AAAQEAubi N81e Dcafrg Me Lza FPsw2k Nv Ecq TKl/Vq Lat/Ma B33p Zy0y3r JZtnqw R2q OOvbw KZYKi EO1O6Vq NEBx Kv JJel Cq0d TXWT5pb O2g DXC6h6QDXCa Ho6p OHGPUy YBa GQRGu Sus MEASYi Wun YN0v CAI8Qa Xn WMXNMd FP3j HAJH0e Dsoi Gn LPBl Bp4TNm6r YI74n Mzgz3B9Iik W4WVK dc8KZJZWYj Au ORU3jc1c/NPsk D2ASinf8v3xnf Xeuk U0s J5N6m5E8VLj Ob PEO m N2t/FZTMZLi Fq PWc/ALSqn Mnnhwr Ni2rbfg/rd/Ip L8Le3p SBne8 see FVBo Gqz HM9y Xw== # SSH-2.0-conker_1.0.257-ce87fba app-123 no hostkey alg So, ahead of time, we have a way of asking for a form of identification from the original host.

I saw so many stack overflow posts telling you to programmatically add the key blindly without any kind of checking.