使用Paramiko更改主机密钥时自动更新known_hosts文件 [英] Automatically updating known_hosts file when host key changes using Paramiko

问题描述

当前，我正在使用Paramiko(在Python中)在节点上执行远程命令.有时，远程节点会更改其公共密钥，因此Paramiko会失败，因为指纹不匹配.当它们更改时，是否有一种方法可以更新 known_hosts 文件中的密钥?如果无法做到这一点，还有其他方法可以忽略引发的警告吗?

Currently I am using Paramiko (in Python) to execute remote command on a node. At times, remote nodes change theirs public key, and consequently Paramiko fails as fingerprints do not match. Is there a way to update the keys in known_hosts file when they change? If this is not possible is there any other way to ignore the warning thrown?

目前，我有一个骇人听闻的解决方案，其中在拨打电话之前先删除 known_hosts 文件，但这不是很好.

Currently I have a hacky solution where known_hosts file is deleted before making the call which is not good.

推荐答案

BadHostKeyException ，因为这是劫持了连接的标志(又名

BadHostKeyException is thrown when a host key changes, as that is a sign of the connecting being hijacked (aka Man-in-the-middle attack).

您永远不要盲目地忽略该异常.除非可能，否则如果您连接到与客户端位于同一专用网络中的服务器.

You should never blindly ignore the exception. Unless maybe, if you connect to a server located in the same private network as your client.

在您的特定情况下，更好的策略是在服务器重新安装期间保留主机密钥.

In your specific case, a better strategy is to preserve host keys during server reinstall.

无论如何，如果您真的不关心安全性，并且愿意盲目接受任何主机密钥:

Anyway, if you really do not care about security, and are willing to blindly accept any host key:

• 请勿调用 SSHClient.load_host_keys ，以便您从空白的已知主机密钥列表开始；

• 并使用 AutoAddPolicy ，以自动接受新主机的主机密钥(由于上一点，所有主机都是新主机):

• do not call SSHClient.load_host_keys, so that you start with a blank list of know host keys;

• and use AutoAddPolicy, to automatically accept host keys of new hosts (all hosts are new due to the previous point):

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

这篇关于使用Paramiko更改主机密钥时自动更新known_hosts文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！