UpdateHostkeys now enabled by default

Matthieu Herrb matthieu at herrb.eu
Mon Oct 5 17:11:19 AEDT 2020


On Mon, Oct 05, 2020 at 10:18:07AM +1100, Damien Miller wrote:
> On Sun, 4 Oct 2020, Matthieu Herrb wrote:
> 
> > thanks for the patch, unfortunatly it doesn't solve the issue. ssh is
> > still claiming that the ecdsa key present in known_hosts differs from
> > the ed25519 key.
> > And if I answer yes to the question known_hosts is not updated.
> > 
> > The way to fix this is still to remove the ecdsa key from
> > known_hosts manually.
> 
> Please try removing the ssh-ed25519 key from known_hosts (leaving just
> the ECDSA lines for name and IP) and try connecting with my patch. IMO
> the problem is that unpatched ssh forgot to write a known_hosts entry
> for the host's IP address and left your known_hosts in an inconsistent
> state.
> 
> If that fails then please send a debug trace from ssh ("ssh -vvv
> ...")

Yes that works as expected in my tests. Thanks.

The problem is more that, in the default config, ssh is now refusing
to connect when in addition to ecdsa keys there is alreadry an ED25519
key for the hashed host name, but no hash IP entry. The bare 8.4 ssh
(from OpenBSD september 29 snapshot) does connect without asking in
that situation.

-- 
Matthieu Herrb


More information about the openssh-unix-dev mailing list