[Bug 3881] Warning should mention client too
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Oct 13 20:24:52 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3881
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Dan Jacobson from comment #0)
[...]
> To resolve this, you just need to refresh the stored host key on your
> computer. Run the command ssh-keygen -R jidanni.org to remove the
> outdated key, then connect again with ssh -vv jidanni.org and accept the
> new ED25519 key when prompted.
That's not particularly good advice: when you reconnect the first time
after deleting the host key you are vulnerable to a MITM attack. They
should at least provide a secure method of verifying the new host key,
or...
$ telnet jidanni.org 22
Trying 69.163.177.88...
Connected to jidanni.org.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
That version has the UpdateHostKeys option (it was introduced[0] in
8.6) that allows the client to learn new host keys in a secure manner.
Since this didn't happen presumably it's disabled in either the client
or server?
[0] https://www.openssh.com/releasenotes.html#8.6
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list