ssh-keyscan – Why ssh-keyscan Does Not Read .ssh/config?

known-hostssshssh-keys

I am using ssh-keyscan in a shell script to accept keys for hosts. The hosts are identified by hostname but not in /etc/hosts. They are in ./ssh/config so I can ssh <hostname> but I can not ping etc.

It looks like ssh-keyscan is not using the .ssh/config file and that seems funny.

Can someone confirm this happens to them?

Real question: Does someone have a way to make ssh-keyscan use ~/.ssh/config?

Best Answer

ssh-keyscan doesn't and cannot be made to use .ssh/config.

However, what you are asking for doesn't require it to do so: Simply passing the real hostnames/addresses to ssh-keyscan (and thus storing them in the known_hosts) will work, even if you use the aliases from the config with ssh. But you can even instruct ssh-keyscan to add other names to the output besides those it used to connect when using the -f option:

 -f file
         Read hosts or “addrlist namelist” pairs from file, one per line.
         If - is supplied instead of a filename, ssh-keyscan will read
         hosts or “addrlist namelist” pairs from the standard input.

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

I needed to have rw for user only permissions on config. This fixed it.

chmod 600 ~/.ssh/config

As others have noted below, it could be the file owner. (upvote them!)

chown $USER ~/.ssh/config

If your whole folder has invalid permissions here's a table of possible permissions:

Path	Permission
.ssh directory (code)	0700 (drwx------)
private keys (ex: `id_rsa`) (code)	0600 (-rw-------)
`config`	0600 (-rw-------)
public keys (*.pub ex: `id_rsa.pub`)	0644 (-rw-r--r--)
`authorized_keys` (code)	0644 (-rw-r--r--)
`known_hosts`	0644 (-rw-r--r--)

Sources:

openssh check-perm.c
openssh readconf.c
openssh ssh_user_config fix_authorized_keys_perms

Ssh – DNS Round-robin does not load balance SSH

DNS does not provide load balancing, so yes unless the host is down it will always utilize a record from the returned list of DNS records. If you want to dynamically handle downed hosts you will have to load balance the incoming connections across your SSH boxes.

Round-Robin DNS requests are very rudimentary in terms of load balancing. Check out the drawbacks section: http://en.wikipedia.org/wiki/Round_robin_DNS

Best Answer

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

Ssh – DNS Round-robin does not load balance SSH

Related Topic