auto-accept keys matching DNSSEC-validated SSHFP records

Robert Story rstory at
Thu Jul 21 04:03:59 EST 2011

On Wed, 20 Jul 2011 18:41:53 +0100 Alex wrote:
AB> > 3) ssh to same host after SSHFP record updated and re-signed
AB> >
AB> > $ ./ssh bishop
AB> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
AB> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
AB> > Howerver, a matching host key, validated by DNSSEC, was found.
AB> > The fingerprint for the RSA key sent by the remote host is
AB> > 1a:48:3f:2c:54:29:60:c4:86:b9:78:bd:e9:64:1f:8d.
AB> > Please contact your system administrator.
AB> > Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this
AB> > message. Offending key in /home/rstory/.ssh/known_hosts:69
AB> > The authenticity of host 'bishop.vb (' was  validated via
AB> > DNSSEC. Warning: Permanently added 'bishop.vb' (RSA) to the list of known
AB> > hosts.
AB> I think the functionality I'd want here (I appreciate other people
AB> might differ) is no warning here.
AB> But the text of this warning is really confusing. Firstly it says
AB> "Add correct host key in /home/rstory/.ssh/known_hosts to get rid of this
AB> message.", then tells you (I think) that it has done just that. It
AB> should either be telling you that you need to do it (and not completing
AB> the connection), or not warning and completing the connection, I think.

I tried to minimize changes to existing code, so I left all the
existing output in place with as little modification as possible. I'm
fine with tweaking the output a bit.

Senior Software Engineer
SPARTA (dba Cobham Analytic Soloutions)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list