[Bug 1993] ssh tries to add keys to ~/.ssh/known_hosts though StrictHostKeyChecking yes is set

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 28 16:18:22 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=1993

--- Comment #7 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Darren Tucker from comment #6)
> Created attachment 2635 [details]
> Remove length limits on know host file name in log messages

A slightly different version of the patch has been committed and will
be in the 6.9 release.

(When I first looked at this I assumed the log message was accurate and
went looking for a truncation in the actual path name used and ended up
barking up the wrong tree.)

(In reply to Christoph Anton Mitterer from comment #4)
[..]
> It *still* happens, that SSH automatically adds a key, i.e.:
> $ echo > ~/.ssh/known_hosts
> $ ssh -o StrictHostKeyChecking=no someHost
> Warning: Permanently added the ECDSA host key for IP address
> '2e01:2a6:b9:3823::2:1' to the list of known hosts.
> (changed the IP/name for privacy reasons).

Err, that's exactly what StrictHostKeyChecking=no is supposed to do:

"If this flag is set to "no", ssh will automatically add new host keys
to the user known hosts files."

> Alex, you obviously confused the value no with yes... "no" is meant
> to automatically add the key

My thoughts exactly :-)

Assuming you meant "StrictHostKeyChecking=yes", I can imagine 2 cases
where this could be the case: the server sending you a new host key via
hostkeys-00 at openssh.com  as mentioned above, or adding adding a key for
the IP address only after having found a correct matching host key for
the name in the system-wide config.   The debug output from ssh -vvv
should give a clue as to what is going on, so please attach one.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list