[GH-ISSUE #155] Is it possible to remove a particular host key? #35

New issue

Closed

opened 2026-05-07 00:17:55 +02:00 by BreizhHardware · 3 comments

BreizhHardware commented

2026-05-07 00:17:55 +02:00

Owner

Originally created by @dwydler on GitHub (Mar 8, 2021).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/155

Hi Guys,
on the weeekend had to generate a new ssh key pair on Switch. By that all users get on connection attempt an error, that the fingerprint not anymore correct. Also in the output the exact command ssh-keygen is displayed for the user.

But the user can not execute the command on this shell (osh.pl). Is there a option in the configuration file of the bastion to allow this?

Regards,
Daniel

Originally created by @dwydler on GitHub (Mar 8, 2021). Original GitHub issue: https://github.com/ovh/the-bastion/issues/155 Hi Guys, on the weeekend had to generate a new ssh key pair on Switch. By that all users get on connection attempt an error, that the fingerprint not anymore correct. Also in the output the exact command _ssh-keygen_ is displayed for the user. But the user can not execute the command on this shell (osh.pl). Is there a option in the configuration file of the bastion to allow this? Regards, Daniel

BreizhHardware

2026-05-07 00:17:55 +02:00

closed this issue
added the
question

bug
labels

BreizhHardware commented

2026-05-07 00:17:56 +02:00

Author

Owner

@speed47 commented on GitHub (Mar 16, 2021):

Yes, there is an osh command to do that: --osh selfForgetHostKey --host ip.or.example.org.
The documentation is over here.

For completeness sake, if remote hostkeys change often or for some reason on specific accounts you want to relax this security, you can use --osh accountModify --account ACCOUNT --egress-strict-host-key-checking yes|no|ask|default|bypass, more info here

@speed47 commented on GitHub (Mar 16, 2021): Yes, there is an osh command to do that: `--osh selfForgetHostKey --host ip.or.example.org`. The documentation is [over here](https://ovh.github.io/the-bastion/plugins/open/selfForgetHostKey.html). For completeness sake, if remote hostkeys change often or for some reason on specific accounts you want to relax this security, you can use `--osh accountModify --account ACCOUNT --egress-strict-host-key-checking yes|no|ask|default|bypass`, more info [here](https://ovh.github.io/the-bastion/plugins/restricted/accountModify.html)

BreizhHardware commented

2026-05-07 00:17:56 +02:00

Author

Owner

@dwydler commented on GitHub (Mar 16, 2021):

It's technical possible to replace the the command ssh-keygen with the `osh.pl``?
So all users have distinct and clear instructions what is to do. I am a lazy it admin.. ;-)

@dwydler commented on GitHub (Mar 16, 2021): It's technical possible to replace the the command `ssh-keygen` with the `osh.pl``? So all users have distinct and clear instructions what is to do. I am a lazy it admin.. ;-)

BreizhHardware commented

2026-05-07 00:17:57 +02:00

Author

Owner

@speed47 commented on GitHub (Mar 17, 2021):

Actually, this is already the case, but after looking into it, I see that the output message of SSH changed a bit in the latest versions, so this is no longer correctly detected to print our own help message instead.

@speed47 commented on GitHub (Mar 17, 2021): Actually, this is already the case, but after looking into it, I see that the output message of SSH changed a bit in the latest versions, so this is no longer correctly detected to print our own help message instead.

BreizhHardware referenced this issue

2026-05-07 00:19:42 +02:00

[PR #35] [MERGED] enh: provide a separated Dockerfile for the sandbox, squashing the la… #184