UpdateHostkeys now enabled by default
Damien Miller
djm at mindrot.org
Mon Oct 5 18:55:45 AEDT 2020
On Mon, 5 Oct 2020, Matthieu Herrb wrote:
> > If that fails then please send a debug trace from ssh ("ssh -vvv
> > ...")
>
> Yes that works as expected in my tests. Thanks.
>
> The problem is more that, in the default config, ssh is now refusing
> to connect when in addition to ecdsa keys there is alreadry an ED25519
> key for the hashed host name, but no hash IP entry. The bare 8.4 ssh
> (from OpenBSD september 29 snapshot) does connect without asking in
> that situation.
I think it is because I just changed the prefer hostkey algorithm from
ECDSA to ED25519 and not because of the UpdateHostkeys.
Maybe CheckHostIP should be relaxed to not consider IP address lines in
known_hosts when the key type there is a lower priority algorithm than
the selected hostkey type. I need to think about it.
-d
More information about the openssh-unix-dev
mailing list