UpdateHostkeys now enabled by default

Damien Miller djm at mindrot.org
Sun Oct 4 22:50:32 AEDT 2020


On Sun, 4 Oct 2020, Matthieu Herrb wrote:

> On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote:
> > On Sun, 4 Oct 2020, Damien Miller wrote:
> > 
> > > No - I think you've stumbled on a corner case I hadn't anticipated.
> > > Does your configuration override CheckHostIP at all?
> 
> No.
> 
> > > 
> > > What are the known_hosts entries for the hostname and IP?
> > 
> > Also, do you use HashKnownHosts? or do you have any hashed host lines
> > in known_hosts?
> 
> Yes I use HashKnownHosts yes

Thanks - I think that was the missing piece of the puzzle. Can you
please try this diff? It lets UpdateKnownHosts store entries for
the IP address as well as the hostname.

diff --git a/hostfile.c b/hostfile.c
index 3dc9809..9ec9afa 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -449,6 +449,9 @@ write_host_entry(FILE *f, const char *host, const char *ip,
 	else
 		error("%s: sshkey_write failed: %s", __func__, ssh_err(r));
 	fputc('\n', f);
+	/* If hashing is enabled, the IP address needs to go on its own line */
+	if (success && store_hash && ip != NULL)
+		success = write_host_entry(f, ip, NULL, key, 1);
 	return success;
 }
 


More information about the openssh-unix-dev mailing list