[Bug 3113] StrictHostKeyChecking=no works with changed 1024 bit RSA hostkeys but fails when 2048 RSA

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 28 02:29:18 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3113

--- Comment #2 from Andy Hart <Andy.Hart1 at cgi.com> ---
Created attachment 3352
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3352&action=edit
SSH debug connection output as requested

The debug output (ssh -vvv….) if from a ubuntu ssh client, connecting
to a CentOS ssh server. For this capture, the SSH server has a 2048bit
RSA host key. The client started with an empty known_hosts file, and
made a first connection. It accepted and stored the SSH servers host
key. I then modified the stored key in the clients known hosts file,
and repeated the SSH connection , this time with the "-vvv" option .
The connection failed with a warning about a MITM attack, i.e. despite
the "StrictHostKeyChecking=no" set in the config file it did NOT accept
the changed key. However, if I repeat this test with a 1024bit RSA key
on the SSH server and no MITM attack is reported

Regards,
Andy

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list