UpdateHostkeys now enabled by default

Matthieu Herrb matthieu at herrb.eu
Mon Oct 5 05:00:12 AEDT 2020 

On Sun, Oct 04, 2020 at 06:41:05PM +0200, Matthieu Herrb wrote:
> 
> thanks for the patch, unfortunatly it doesn't solve the issue. ssh is
> still claiming that the ecdsa key present in known_hosts differs from
> the ed25519 key.
> And if I answer yes to the question known_hosts is not updated.
> 
> The way to fix this is still to remove the ecdsa key from
> known_hosts manually.
> 

more data points. I started experimenting with
'-o UserKnownHostsFile freedom'  -o 'UpdateHostKeys ask'

where 'freedom' is a minimal known_hosts files

(with your patch applied, and hashed names / IP addresses):

If only ecdsa keys are in freedom :

- if both the lines for the hashed IP address and name are there, ssh
  connects and asks to add updated keys. It adds existing rsa (?) and
  ed25519 keys for both the hashed name and the IP.

- if only the line for the hashed name is there, ssh adds the line
  with the hashed address and ecdsa key and then asks as above.

- if only the line for the hashed IP address is there, ssh claims that
  the identity can't be established and shows me the fingerprint of
  the ed25519 key.


if only ed2519 keys are there :

- if both lines key for the hashed IP address and name are there, ssh
  connects.

- if only the line for the name is there, ssh connects and adds a line 
  with the hash the IP address (v4 or v6) and the ed25519 key

- if only the line for the hashed IP address is there, ssh claims that
  the identity can't be established and shows me the fingerprint of
  the ed25519 key (that is in the known host with the hash of IP)

If like in my original situation I have ecdsa keys for hashed hostname
and IP but only the ed25519 key for the hashed host name, then ssh
claims:

Warning: the ED25519 host key for 'freedom' differs from the key for
the IP address '2a03:7220:8081:6101:6552:9ca8:512b:9251'
Offending key for IP in /home/matthieu/.ssh/freedom:4
Matching host key in /home/matthieu/.ssh/freedom:9

line 4 is the line for the ecdsa key with the hashed IP
line 9 is the line for the ed25519 key with the hashed name

-- 
Matthieu Herrb

More information about the openssh-unix-dev mailing list