[Bug 2241] New: ssh-keygen -R removes matching key as well as @cert-authority

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 8 23:13:19 EST 2014


            Bug ID: 2241
           Summary: ssh-keygen -R removes matching key as well as
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mlindgren at runelind.net

I have confirmed this behavior from OpenSSH 6.6 in OS X (from MacPorts)
and 6.6 in Ubuntu.  I have set up a SSH Certificate authority, and as
such I put in the following line at the top of my known_hosts file

@cert-authority *.mydomain.com ssh-rsa <public key>

Below this are all my hashed entries for various other hosts that I've
contacted over the years.  

If I do ssh-keygen -R <ip> it has the unintended consequence of
matching on the offending entry in the known_hosts file *and* my
cert-authority entry:

$ ssh-keygen -R
# Host found: line 1 type RSA <--This is my cert-authority
# Host found: line 512 type ECDSA
/Users/mlindgren/.ssh/known_hosts updated.
Original contents retained as /Users/mlindgren/.ssh/known_hosts.old

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list