The manage_sudo.sh script features a way to discover SSH host keys in bulk using the ssh-keyscan tool. This allows (SSH) administrators to recreate a known_hosts file with defunct host keys in an easy way. Use the -d or --discover options to launch a host key discovery for all targets, e.g.:

[master]$ ./manage_sudo.sh --discover

# client1 SSH-2.0-OpenSSH_5.3
client1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsLDu4+jEyGYnVvGWy4bs4rw62HUrcHLxA6u8p5cTWr/DkHgrOksmcxGkOe...
# client2 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
client2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOTD9cf0rmVlVRvkzakAGj+l9ftdn4Ew+X1X6fZC4d2QBteXEOwCSGYplEK...
read (client3): No route to host

By default all discovered host keys will be printed on STDOUT and any errors on STDERR. Note that in the above example the host keys have been deliberately shortened for readability.

Redirect STDOUT to update your known_hosts file in full, for example:

[master]$ ./manage_sudo.sh --discover > $HOME/.ssh/known_hosts

Following configuration options can be used to control SSH keys discovery:

# path to the ssh-keyscan too
SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"

# extra arguments/options for the ssh-keyscan command
# by default -f <file> is used by manage_sudo.sh to supply hostnames, do not add here
SSH_KEYSCAN_ARGS="-t rsa"

Updated:

Leave a comment