[Bug 3501] New: When checking key for IP address, key type is ignored in comparison

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Nov 14 19:30:44 AEDT 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3501

            Bug ID: 3501
           Summary: When checking key for IP address, key type is ignored
                    in comparison
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla.mindrot.org at pobox.madduck.net

I used ssh-keyscan to add all 3 keys of a remote host to my known_hosts
file, like so (lines 1–3):

somehost.example.org,192.0.2.167,2001:db8::192.0.2.167
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBExREWxSdCmgdG0WUoziitLWMg5QdR3bNpS5i2ckTWX1VAX24vKggTJdXHU5pQDNIn1OsjMx2ez0TugcPsUIGG0=
somehost.example.org,192.0.2.167,2001:db8::192.0.2.167 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAINExMfqczBvNAubVtOdimLP2UwrNwvx5nQstjW8VNs3x
somehost.example.org,192.0.2.167,2001:db8::192.0.2.167 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDD8joOCwmwpyLF+OEiD/UPW4dLYxjgH6ogNKWeqGnkWf2+DaqqZe9acay/Mka6x3c9GCMalC3v2KU6NgnuDAQaEVClDlAaxRMX3n5TY+7EYPV/+z2L/9q4xsJgqdYd2vpB9d7IC5iBmOvPI5FWg74423t1X/jXsLmNOQahznrQTfqDTBzSMbXfsOIVrahz5u4vnK6ZjpTFPLVCm+6BSHTzycEM9LWTD6t7X57GR+96bCAQsmuSHL8amV0V/cWhNH0vhjBp7DSOfHOUukmDdPZ/62dcCg6zHpKjDErp2Q8HJwK4vOkD/YQFzadgiTHVZed732b+EB1bS2MOWuapBx6R

Because of https://bugzilla.mindrot.org/show_bug.cgi?id=3500, when I
connect to the remote host, SSH adds a line for the alternate IPv6
address to known_hosts (this is on line 101):

2001:db8::c000:02a7 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAINExMfqczBvNAubVtOdimLP2UwrNwvx5nQstjW8VNs3x

Now, if for whatever reason, SSH tries to verify the host using the
ECDSA key, it will fail to connect:

Warning: the ECDSA host key for 'somehost.example.org' differs from the
key for the IP address '2001:db8::c000:02a7'
Offending key for IP in /var/lib/backuppc/.ssh/known_hosts:101
Matching host key in /var/lib/backuppc/.ssh/known_hosts:1
Exiting, you have requested strict checking.
Host key verification failed.

But it's comparing an ECDSA key used for the verification of the
current session to an ED25519 key fingerprint stored in line 101, and
that doesn't seem right.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list