[Bug 3746] New: ssh-keyscan output format is not compatible with ssh-keygen -s
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Oct 23 13:01:11 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3746
Bug ID: 3746
Summary: ssh-keyscan output format is not compatible with
ssh-keygen -s
Product: Portable OpenSSH
Version: 9.2p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keyscan
Assignee: unassigned-bugs at mindrot.org
Reporter: pmk.64k84 at lgosys.com
Created attachment 3840
--> https://bugzilla.mindrot.org/attachment.cgi?id=3840&action=edit
Test case showing syntactic differences and resulting error
Using scp (or some other direct-copy method) to fetch a host public key
(in this case ed25519) results in a syntactic structure which could be
described as "ssh-ed25519 key root at host".
Using ssh-keyscan to fetch the same host public key results in the
syntactic structure "host ssh-ed25519 key" where "host" is the
mechanism used to identify the host on the command (IP address, host
name, FQDN).
When used as an input to `ssh-keygen -s` the presence of the "host"
portion causes ssh-keygen to complain "No such file or directory" even
though the file is there.
Editing the ssh-keyscan download (eg piping to `cut -d " " -f 2-3`)
cures the problem, at least for certificate generation.
I'm presenting this as an enhancement request because it seems to me
that the least disruptive way of ensuring compatibility between
ssh-keyscan outputs and ssh-keygen's requirements is to add an option
to ssh-keyscan which removes the "host" portion, reducing it to just
"ssh-ed25519 key". The absence of the "root at hostname" portion does not
seem to matter to `ssh-keygen -s`.
I suppose the alternative would be to treat this as a bug in
ssh-keygen, where it should be ignoring the "host" portion of the
ssh-keyscan output.
I have tested this on both macOS 14.6.1 (SSH-2.0-OpenSSH_9.7) and a
variety of Debian-based systems (SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
and SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3). I see the same behaviour
on all systems, irrespective of whether the system is where ssh-keyscan
is running, or is the target of the operation. Although my focus is on
ed25519 keys, the same pattern is evident with rsa keys.
I was really surprised that I was unable to find an existing bug report
mentioning this problem.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list