8

I'm attempting to build a global known_hosts file for my AWS VPC, and was looking at using ssh-keyscan to acquire the fingerprints of new servers as they are created. The -H option seems sensible, as it means you

do not reveal identifying information should the file's contents be disclosed

Strangely though, the output of that command comes with a helpful header:

# 1.2.3.4 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.4

... which seems to rather defeat the point doesn't it? Obviously I can strip that bit out very easily, but having asked for hashing, I'd expect the output to contain only hashed data. Is there some logical reason for this, or is it a bug?

Jakuje
  • 5,229
  • 16
  • 31
IBam
  • 265
  • 2
  • 8
  • For reference, to ignore the comment: `ssh-keyscan -H -t ecdsa 1.2.3.4 | grep ^[^#]` – IBam Mar 04 '16 at 09:48

1 Answers1

8

Is there some logical reason for this, or is it a bug?

It's not a bug, it is a feature. The line with the comment is written to stderr unlike the host keys, therefore it is no problem if you do

ssh-keyscan -H -t rsa host > /your/known_hosts

The list of hosts will go to your terminal and not into the file.

Example:

ssh-keyscan -H -t rsa host 2> /dev/null

will show you only the hashed keys and no "comments" with hostnames.

IBam
  • 265
  • 2
  • 8
Jakuje
  • 5,229
  • 16
  • 31
  • It's rather odd and annoying that it does this, but piping stderr to `/dev/null`is how I clean its output too. – starfry Dec 23 '16 at 15:13
  • @starfry It is quite standard way, writing output to stdout and notes/errors to stderr. Isn't it what I wrote in my answer? – Jakuje Dec 23 '16 at 15:18
  • I was just agreeing with you. I encountered your answer when searching for any other way to suppress the unwanted output in the first place (like a `-q` option) but there isn't one. – starfry Dec 23 '16 at 15:24