[PATCH] mention ssh-keyscan in remote host fingerprint warning

Scott Moser smoser at ubuntu.com
Fri Dec 10 02:27:26 EST 2010

Hi, below is a patch to simply mention 'ssh-keygen' when a fingerprint
does not match between the known_hosts file and the remote.

I find that many people are unaware that ssh-keygen can do this for them.
adding a copy-and-pasteable message in the warning will make users
more aware.

Description: Mention ssh-keygen in ssh fingerprint changed warning
Author: Scott Moser <smoser at ubuntu.com>
Bug: https://launchpad.net/bugs/686607
Index: openssh/sshconnect.c
--- openssh.orig/sshconnect.c	2010-12-09 10:21:33.889760054 -0500
+++ openssh/sshconnect.c	2010-12-09 10:22:02.139864915 -0500
@@ -908,14 +908,17 @@
 			error("%s. This could either mean that", key_msg);
 			error("DNS SPOOFING is happening or the IP address for the host");
 			error("and its host key have changed at the same time.");
-			if (ip_status != HOST_NEW)
+			if (ip_status != HOST_NEW) {
 				error("Offending key for IP in %s:%d", ip_file, ip_line);
+				error("  remove with: ssh-keygen -f \"%s\" -R %d", ip_file, ip_line);
+			}
 		/* The host key has changed. */
 		error("Add correct host key in %.100s to get rid of this message.",
 		error("Offending key in %s:%d", host_file, host_line);
+		error("  remove with: ssh-keygen -f \"%s\" -R %d", host_file, host_line);

 		 * If strict host key checking is in use, the user will have

More information about the openssh-unix-dev mailing list