使用Paramiko更改主机密钥时自动更新known_hosts文件 [英] Automatically updating known_hosts file when host key changes using Paramiko
问题描述
当前,我正在使用Paramiko(在Python中)在节点上执行远程命令.有时,远程节点会更改其公共密钥,因此Paramiko会失败,因为指纹不匹配.当它们更改时,是否有一种方法可以更新 known_hosts
文件中的密钥?如果无法做到这一点,还有其他方法可以忽略引发的警告吗?
Currently I am using Paramiko (in Python) to execute remote command on a node. At times, remote nodes change theirs public key, and consequently Paramiko fails as fingerprints do not match. Is there a way to update the keys in known_hosts
file when they change? If this is not possible is there any other way to ignore the warning thrown?
目前,我有一个骇人听闻的解决方案,其中在拨打电话之前先删除 known_hosts
文件,但这不是很好.
Currently I have a hacky solution where known_hosts
file is deleted before making the call which is not good.
推荐答案
BadHostKeyException
,因为这是劫持了连接的标志(又名
BadHostKeyException
is thrown when a host key changes, as that is a sign of the connecting being hijacked (aka Man-in-the-middle attack).
您永远不要盲目地忽略该异常.除非可能,否则如果您连接到与客户端位于同一专用网络中的服务器.
You should never blindly ignore the exception. Unless maybe, if you connect to a server located in the same private network as your client.
在您的特定情况下,更好的策略是在服务器重新安装期间保留主机密钥.
In your specific case, a better strategy is to preserve host keys during server reinstall.
无论如何,如果您真的不关心安全性,并且愿意盲目接受任何主机密钥:
Anyway, if you really do not care about security, and are willing to blindly accept any host key:
- 请勿调用
SSHClient.load_host_keys
,以便您从空白的已知主机密钥列表开始; -
并使用
AutoAddPolicy
,以自动接受新主机的主机密钥(由于上一点,所有主机都是新主机):
- do not call
SSHClient.load_host_keys
, so that you start with a blank list of know host keys; and use
AutoAddPolicy
, to automatically accept host keys of new hosts (all hosts are new due to the previous point):
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
这篇关于使用Paramiko更改主机密钥时自动更新known_hosts文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!