tl;dr: You might find this gist handy if you enable HashKnownHosts
Modern ssh comes with the option to obfuscate the hosts it can connect to, by enabling the HashKnownHosts option. Modern server installs have that as a default. This is a good thing.
The obfuscation occurs by hashing the first field of the known_hosts file - this field contains the hostname,port and IP address used to connect to a host. Presumably, there is a private ssh key on the host used to make the connection, so this process makes it harder for an attacker to utilize those private keys if the server is ever compromised.
Super! Nifty! Now how do I audit those files? Some services have multiple IP addresses that serve a host, so some updates and changes are legitimate. But which ones? It’s a one way hash, so you can’t decode.
Well, if you had an unhashed copy of the file, you could match host keys and determine the host name & IP.  You might just have such a file on your laptop (at least I don’t hash keys locally).  (Or build a special file by connecting to the hosts you expect with the options “-o HashKnownHosts=no -o UserKnownHostsFile=/path/to/new_master”.)
I through together a quick python script to do the matching, and it’s at this gist. I hope it’s useful - as I find bugs, I’ll keep it updated.
Bonus Tip: https://github.com/defunkt/gist
Is a very nice way to manage gists from the command line.
|||A lie - you’ll only get the host name and IP’s that you have connected to while building your reference known_hosts file.|
|||I use other measures to keep my local private keys unusable.|
As much as GMail’s search syntax makes me long for PCRE, there are some unobvious gems laying around.
For example, I get tons of mail about releases. Occasionally, I need to monitor a given release, paying attention to not only the automated progress, but also human generated emails as well. Here’s my current setup:
- Automated email is marked as read & skips inbox (unless it’s a failure)
- Any release oriented email is given a special label using a filter similar to “subject:((38.0b1) OR (38 Beta) OR (31. AND "esr")”.
That’s pretty standard. The productivity add is when I use the “multi-inbox” feature in the web ui. I set the top one to be just the unread ones with the special label from today:
newer_than:1d label:SPECIAL_LABEL is:unread
With positioning of “extra panels” to the right side, I get a very focussed look at any issues I need to look at!
I love seeing that “(no messages)” text!