UpdateHostkeys now enabled by default
Damien Miller
djm at mindrot.org
Sun Oct 4 22:50:32 AEDT 2020
On Sun, 4 Oct 2020, Matthieu Herrb wrote:
> On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote:
> > On Sun, 4 Oct 2020, Damien Miller wrote:
> >
> > > No - I think you've stumbled on a corner case I hadn't anticipated.
> > > Does your configuration override CheckHostIP at all?
>
> No.
>
> > >
> > > What are the known_hosts entries for the hostname and IP?
> >
> > Also, do you use HashKnownHosts? or do you have any hashed host lines
> > in known_hosts?
>
> Yes I use HashKnownHosts yes
Thanks - I think that was the missing piece of the puzzle. Can you
please try this diff? It lets UpdateKnownHosts store entries for
the IP address as well as the hostname.
diff --git a/hostfile.c b/hostfile.c
index 3dc9809..9ec9afa 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -449,6 +449,9 @@ write_host_entry(FILE *f, const char *host, const char *ip,
else
error("%s: sshkey_write failed: %s", __func__, ssh_err(r));
fputc('\n', f);
+ /* If hashing is enabled, the IP address needs to go on its own line */
+ if (success && store_hash && ip != NULL)
+ success = write_host_entry(f, ip, NULL, key, 1);
return success;
}
More information about the openssh-unix-dev
mailing list