UpdateHostkeys now enabled by default
Matthieu Herrb
matthieu at herrb.eu
Mon Oct 5 03:41:05 AEDT 2020
On Sun, Oct 04, 2020 at 10:50:32PM +1100, Damien Miller wrote:
> On Sun, 4 Oct 2020, Matthieu Herrb wrote:
>
> > On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote:
> > > On Sun, 4 Oct 2020, Damien Miller wrote:
> > >
> > > > No - I think you've stumbled on a corner case I hadn't anticipated.
> > > > Does your configuration override CheckHostIP at all?
> >
> > No.
> >
> > > >
> > > > What are the known_hosts entries for the hostname and IP?
> > >
> > > Also, do you use HashKnownHosts? or do you have any hashed host lines
> > > in known_hosts?
> >
> > Yes I use HashKnownHosts yes
>
> Thanks - I think that was the missing piece of the puzzle. Can you
> please try this diff? It lets UpdateKnownHosts store entries for
> the IP address as well as the hostname.
>
> diff --git a/hostfile.c b/hostfile.c
> index 3dc9809..9ec9afa 100644
> --- a/hostfile.c
> +++ b/hostfile.c
> @@ -449,6 +449,9 @@ write_host_entry(FILE *f, const char *host, const char *ip,
> else
> error("%s: sshkey_write failed: %s", __func__, ssh_err(r));
> fputc('\n', f);
> + /* If hashing is enabled, the IP address needs to go on its own line */
> + if (success && store_hash && ip != NULL)
> + success = write_host_entry(f, ip, NULL, key, 1);
> return success;
> }
>
thanks for the patch, unfortunatly it doesn't solve the issue. ssh is
still claiming that the ecdsa key present in known_hosts differs from
the ed25519 key.
And if I answer yes to the question known_hosts is not updated.
The way to fix this is still to remove the ecdsa key from
known_hosts manually.
--
Matthieu Herrb
More information about the openssh-unix-dev
mailing list