[Bug 2631] New: Hostkey update and rotation - No IP entries added to known_hosts

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Oct 26 15:42:44 AEDT 2016


            Bug ID: 2631
           Summary: Hostkey update and rotation - No IP entries added to
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: lkinley at gmail.com

When UpdateHostKeys=yes/ask, only hostname based entries are added to
known_hosts file when learning new hostkeys.

Shouldn't IP entries also be added?

Consider the following scenario:

User connects for the first time, specifying a HostKeyAlgorithms
setting that is not first in the default list (rsa-sha2-256 in this
case), HashKnownHosts=yes, and UpdateHostKeys=yes.  Server sends key,
it gets recorded in known_hosts both under the hostname and the IP. 
User authenticates and additional keys are learned and stored under
only the hostname.

A second connection is made with the default HostKeyAlgorithms value. 
A warning and prompt is issued because the ECDSA key differs from the
RSA key stored under the IP address.

This warning and prompt would be avoided if the hostkey update and
rotation process recorded a known_hosts entry with the IP address, too.

Is this intentional?

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list