[Bug 1993] New: ssh tries to add keys to ~/.ssh/known_hosts though StrictHostKeyChecking yes is set

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Mar 28 03:49:48 EST 2012


https://bugzilla.mindrot.org/show_bug.cgi?id=1993

             Bug #: 1993
           Summary: ssh tries to add keys to ~/.ssh/known_hosts though
                    StrictHostKeyChecking yes is set
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.9p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: calestyo at scientia.net


Hi.

By chance I found out that, despite of what ssh_config(5) says:
>StrictHostKeyChecking
> If this flag is set to “yes”, ssh(1) will never automatically add
> host keys to the ~/.ssh/known_hosts file,

it does try to add keys there, namely those for which a key is already
set in the system wide known hosts file, but only for the hostname and
not for the IP address.

It says:
Failed to add the RSA host key for IP address '129.187.131.211' to the
list of known hosts (/var/lib/nagios/.ssh/known_hos).

(btw: Notice that it cuts the file name, is this another bug?)


While CheckHostIP no prevents the above, it also means (AFAIU) that the
IP is not checked, FOR WHICH it was e.g. manually added.


Not sure whether this is a bug, or a documentation issue.... and what
the right way around is (CheckHostIP no? or UserKnownHostsFile
/dev/null ? )


Cheers,
Chris.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list