Call for testing: OpenSSH 8.2
Damien Miller
djm at mindrot.org
Thu Feb 6 16:29:48 AEDT 2020
On Wed, 5 Feb 2020, Phil Pennock wrote:
> On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> > * sshd(8): allow the UpdateHostKeys feature to function when
> > multiple known_hosts files are in use. When updating host keys,
> > ssh will now search subsequent known_hosts files, but will add
> > updated host keys to the first specified file only. bz2738
>
> In testing this, when the impact is to _remove_ a known_hosts entry then
> all the existing entries are deleted from the subsequent files, and the
> remaining entries are added to the first file.
>
> I initially assumed, on reading the email, that the logic was to not
> assume that subsequent files are writable, but it seems that's not it.
>
> Is this just a corner case that wasn't considered?
No, that's pretty much the intended behaviour. Tracking which entries go
where and trying to match it while making updates is just too fiddly.
I hope to automatically enable UpdateHostKeys in a future release when
the user is using the default UserKnownHostsFiles, so if people are
using something custom then they can choose themselves whether the above
behaviour is something they can live with.
The previous behaviour was quite broken: AFAIK it wouldn't even search
beyond the first known_hosts file when looking for keys.
-d
More information about the openssh-unix-dev
mailing list