New SSH server key added every time I trigger a call-home, not checking the known_host file.

[safwan2m]

When SSH connection establishment is to be done using the call-home message, the program does not check for the known_hosts file and keeps on adding SSH keys. I believe this is an issue, while I went through the netopeer2 and libnetconf2 code, didn't find any code to check the known_hosts file. Please let me know if it is otherwise.

[Roytak]

Hi, I believe the client checks for the known_hosts file each time a Call Home connection is established. Even though an entry with a matching public key can be found in the known_hosts file, a new entry gets created "each time", because the port of the server trying to connect is generated randomly and the new port number most likely does not match any entry in said file.

This should be resolved once the YANG feature local-binding-supported of the ietf-tcp-client YANG model is supported and implemented. Then you would be able to configure the port and the address of where these connections are coming from. Or perhaps a new option could be added for netopeer2-cli's knownhosts command that would enable for changing the known hosts mode (which is set to ask by default).

[safwan2m]

I was trying to write my own netconf client code, following the netopeer2-cli, but couldn't find any function that checks for the known_hosts in the cmd_listen. Later was able to avoid adding new keys for every callhome, using this callback nc_client_ssh_ch_set_auth_hostkey_check_clb. Not sure, if it's the right way to do it, but it solves my current issue.
Thanks for your response @Roytak.

[michalvasko]

The function that configures hostkey verification is nc_client_ssh_set_knownhosts_mode().