openssh bugs - Aug 2013 - [Bug 2145] New: ssh-keygen -R doesn't work when there are entries for "proxycommand" keys

https://bugzilla.mindrot.org/show_bug.cgi?id=2145

            Bug ID: 2145
           Summary: ssh-keygen -R doesn't work when there are entries for
                    "proxycommand" keys
           Product: Portable OpenSSH
           Version: 6.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: hugh at davenport.net.nz

I can't seem to reproduce the same style entry, but below is snippets
that should show what is wrong.

Basically the gist is that example.com is in known hosts, and is a hop
point for a proxycommand for foo.example.com which has a explicit
hostname of an ip address. I tried to recreate it, but my current
version of ssh automatically puts the hashed host entry, not the ip,<no
hostip...> entry. They probably came from an earlier version of ssh.

$ ssh-keygen -f "/home/hdavenport/.ssh/known_hosts" -R example.com
# Host example.com found: line 1 type RSA
line 2 invalid key: 192.168.x.x,<no...
/home/hdavenport/.ssh/known_hosts is not a valid known_hosts file.
Not replacing existing known_hosts file because of errors
$ cat /home/hdavenport/.ssh/known_hosts
|1|hosthash ssh-rsa keyhash
192.168.x.x,<no hostip for proxy command> ssh-rsa keyhash
$ cat /home/hdavenport/.ssh/config
host foo.example.com
  proxycommand ssh -q example.com nc -q0 %h %p
  hostname 192.168.x.x

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2145

mindrot.org at pr5c.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mindrot.org at pr5c.com

--- Comment #1 from mindrot.org at pr5c.com ---
The invalid known_hosts entries are created by older versions of the
Ruby library net-ssh: https://rubygems.org/gems/net-ssh

The bug is fixed in version 2.9.2 of net-ssh.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2145

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This is working as intended: if the known_hosts file is messed up then
ssh-keygen -R bails out instead of blundering ahead and destroying it
further.

We've fixed the bug in ssh that put the "<no hostip for proxy
command>"
entries in known_hosts to begin with a while back IIRC.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2145

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.