[Bug 2631] New: Hostkey update and rotation - No IP entries added to known_hosts
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Oct 26 15:42:44 AEDT 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2631
Bug ID: 2631
Summary: Hostkey update and rotation - No IP entries added to
known_hosts
Product: Portable OpenSSH
Version: 7.3p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: lkinley at gmail.com
When UpdateHostKeys=yes/ask, only hostname based entries are added to
known_hosts file when learning new hostkeys.
Shouldn't IP entries also be added?
Consider the following scenario:
User connects for the first time, specifying a HostKeyAlgorithms
setting that is not first in the default list (rsa-sha2-256 in this
case), HashKnownHosts=yes, and UpdateHostKeys=yes. Server sends key,
it gets recorded in known_hosts both under the hostname and the IP.
User authenticates and additional keys are learned and stored under
only the hostname.
A second connection is made with the default HostKeyAlgorithms value.
A warning and prompt is issued because the ECDSA key differs from the
RSA key stored under the IP address.
This warning and prompt would be avoided if the hostkey update and
rotation process recorded a known_hosts entry with the IP address, too.
Is this intentional?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list