SSH host key rotation – known_hosts file not updated

Jan Eden tech at eden.one
Mon Oct 14 20:30:36 AEDT 2024 

On 2024-10-14 14:48, Damien Miller wrote:

> On Sun, 13 Oct 2024, Jan Eden via openssh-unix-dev wrote:
> > When I connect to serverA (`ssh -v -o UpdateHostKeys=yes serverA`)
> > afterwards, known_hosts on the client is not updated. The output of the
> > ssh command contains this:
> > 
> > debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key.
> > # ...
> > debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts for [serverA.domain.internal]:22 / (none)
> > debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts2 for [serverA.domain.internal]:22 / (none)
> > debug1: client_input_hostkeys: hostkeys file /Users/snafu/.ssh/known_hosts2 does not exist
> > debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update

> One weird thing is this:
> 
> > debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key.
> 
> ssh doesn't usually decorate the hostname with port numbers like this for
> the default port 22. Did you redact the output?

Yes, I redacted hostname and port – sorry, should have mentioned that.

> Anyway, in answer to your question. The "host key found matching a different
> name/address" is triggered when a key received from the server in an update
> already exists under a different name. If you turn the debugging level up,
> then you'll see the name(s) that it matches too:
> 
>   2100          if (sshkey_equal(l->key, ctx->keys[i])) {
>   2101                  ctx->other_name_seen = 1;
>   2102                  debug3_f("found %s key under different "
>   2103                      "name/addr at %s:%ld",
>   2104                      sshkey_ssh_name(ctx->keys[i]),
>   2105                      l->path, l->linenum);
>   2106                  return 0;
>   2107          }
>   2108  }

Thank you! Increasing the verbosity revealed a known_hosts entry linked
to serverA's IP address (I had forgotten that I had connected to it by
IP address at some point). Deleting this entry solved the problem; the
new host key was stored in known_hosts when I connected to serverA
again.

- Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20241014/3bde6c22/attachment.asc>

More information about the openssh-unix-dev mailing list