UpdateHostkeys now enabled by default

Matthieu Herrb matthieu at herrb.eu
Sun Oct 4 17:34:48 AEDT 2020 

On Sat, Oct 03, 2020 at 07:44:08PM +1000, Damien Miller wrote:
> Hi,
> 
> I just fixed a couple of corner-cases relating to UpdateHostkeys in git
> HEAD and have enabled the option by default. IMO this protocol extension
> is important because it allows ssh clients to automatically migrate to
> the best available signature algorithms available on the server and
> supports our goal of deprecating RSA/SHA1 in the future.
> 
> We would really appreciate your feedback on this feature if you are able
> to run git HEAD on non-production systems - we try our best to keep
> OpenSSH stable and usable through the development cycle (really, we try
> to keep it ready for release at any time). IMO it is quite suitable to
> use as a daily driver on one's laptop. To test this feature, you really
> only need run the ssh client.
> 

Hi,

on OpenBSD-current I now get this when connecting to an existing
machine for which I have both ecdsa an ed25519 keys in my existing
known_hosts (but apparently ed25519 keys where added only for the name
previsously by ssh):

Warning: the ED25519 host key for 'freedom' differs from the key for
the IP address '2a03:7220:8081:6101:6552:9ca8:512b:9251'
Offending key for IP in /home/matthieu/.ssh/known_hosts:53
Matching host key in /home/matthieu/.ssh/known_hosts:131
Are you sure you want to continue connecting (yes/no)?

line 53 is the ecdsa key for the given address, 131 is the ed25519 key
for the name. None of the name or the IP address for freedom changed
(and the behaviour is the same with IPv4)

If I answer 'yes' the known_hosts file is not updated. I have to
remove the ecdsa key manually to have the ed25519 key for the IP
address added automatically.

ie :

% ssh-keygen -R '2a03:7220:8081:6101:6552:9ca8:512b:9251'
# Host 2a03:7220:8081:6101:6552:9ca8:512b:9251 found: line 53
/home/matthieu/.ssh/known_hosts updated.
Original contents retained as /home/matthieu/.ssh/known_hosts.old
% ssh freedom
Warning: Permanently added the ED25519 host key for IP address
'2a03:7220:8081:6101:6552:9ca8:512b:9251' to the list of known hosts.


I find this quite disturbing (and it breaks some non interactive
scripts). Is it the intended behaviour ?

-- 
Matthieu Herrb

More information about the openssh-unix-dev mailing list