UpdateHostkeys now enabled by default
Damien Miller
djm at mindrot.org
Sun Oct 4 18:27:38 AEDT 2020
On Sun, 4 Oct 2020, Matthieu Herrb wrote:
> Hi,
>
> on OpenBSD-current I now get this when connecting to an existing
> machine for which I have both ecdsa an ed25519 keys in my existing
> known_hosts (but apparently ed25519 keys where added only for the name
> previsously by ssh):
>
> Warning: the ED25519 host key for 'freedom' differs from the key for
> the IP address '2a03:7220:8081:6101:6552:9ca8:512b:9251'
> Offending key for IP in /home/matthieu/.ssh/known_hosts:53
> Matching host key in /home/matthieu/.ssh/known_hosts:131
> Are you sure you want to continue connecting (yes/no)?
>
> line 53 is the ecdsa key for the given address, 131 is the ed25519 key
> for the name. None of the name or the IP address for freedom changed
> (and the behaviour is the same with IPv4)
>
> If I answer 'yes' the known_hosts file is not updated. I have to
> remove the ecdsa key manually to have the ed25519 key for the IP
> address added automatically.
>
> ie :
>
> % ssh-keygen -R '2a03:7220:8081:6101:6552:9ca8:512b:9251'
> # Host 2a03:7220:8081:6101:6552:9ca8:512b:9251 found: line 53
> /home/matthieu/.ssh/known_hosts updated.
> Original contents retained as /home/matthieu/.ssh/known_hosts.old
> % ssh freedom
> Warning: Permanently added the ED25519 host key for IP address
> '2a03:7220:8081:6101:6552:9ca8:512b:9251' to the list of known hosts.
>
>
> I find this quite disturbing (and it breaks some non interactive
> scripts). Is it the intended behaviour ?
No - I think you've stumbled on a corner case I hadn't anticipated.
Does your configuration override CheckHostIP at all?
What are the known_hosts entries for the hostname and IP?
Thanks,
Damien
More information about the openssh-unix-dev
mailing list