ssh_known_hosts

Establishing trust between two hosts involves exchanging their public keys and adding them to each other’s /etc/ssh/ssh_known_hosts file.

 

The /etc/ssh/ssh_known_hosts file provides an association between a host identifier (name or IP address) and a public key.

The format of ssh_known_hosts is the same as the format of the ssh_known_hosts files that resides in the user’s $HOME/.ssh directory.

The ssh_known_hosts file contains entries similar to the one shown in the following example:

 

yellowrock.uex.edu,124.113.177.135 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC6XtOSGVEY9PUnMXS6vzvJigeQQtGYwdX2v2zAAsqwYRla
NN/ddV76btf4PL812r91WYGTgcXT0r0bfSGJ9dmJQ8dPenMAKyviR2BLV1SaIqxqUSjdkXFrlHkC7al
ILoKrwhMvNWb+Jaa3ecuYffKThNadFTHftyntdaVkYxwW7Hr1MknksfZKMPsJjW+Mp3aZVV2wVnQk
OgkSsVY8y2pT7h7KuTa66IdqkwO2ZTEXL2D1X1wIEqGqAJ2VFPQayzclqaGbCzFUYyFsCT1WUL+Bz
RnehI9L9IVlP3katLSokoBzbxHeu0eb92VXngnrQJ1C0dA+5O4vp2KxFKIEuwdV

The first element in the entry represents a host identifier (in this case, yellowrock.uex.edu). The second element represents the key type (ssh-rsa). The third element represents the public key of that host. The entry may have additional elements, but they not are relevant to this discussion.

By adding such entries to the /etc/ssh/ssh_known_hosts file, system administrators establish a one way trust between the host where the key is added and the host whose key is added. In the preceding example, the host where the entry is inserted in /etc/ssh/ssh_known_hosts trusts the host identified by yellowrock.uex.edu (or IP address 124.113.177.135).

In order to establish two way trust between two hosts, the /etc/ssh/ssh_known_hosts file of each host must be updated with the public keys of the other host.

In the /etc/ssh/ssh_known_hosts file, an SSH host public key is associated with a host identifier, usually a host name or IP address. However, in the case of the compute nodes, they all have different host names and IP addresses, but they all have the same SSH host keys. An easy way to associate the compute nodes’ SSH host keys with a host name is to introduce a special host name that identifies all the compute nodes (for example, compute-nodes) and associate the SSH host public key from the compute node image with that host identifier.