bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-04 17:45 UTC
[Bug 1426] New: ssh key verification hint (on remote side)
https://bugzilla.mindrot.org/show_bug.cgi?id=1426
Summary: ssh key verification hint (on remote side)
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.7p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: js at lastlog.de
everyone has seen the lines attached to this bug report.
please add a note to that warning how i can list all fingerprints
"FROM" and "ON" the remote side so that i could see what is
going on.
say i have another ssh session still running so i would not have to
accept the new host key first.
the line could look like this:
******************* <please add this to the warning>
*******************
You can verify your fingerprint on the remote side with:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
(in case your keys are stored somewhere else, adapt the path)
If the fingerprint from the remote side and the one your client states
to be new match there is no 'man in the middle attack' going on and you
can safely accept the new fingerprint on the client side with 'yes'.
******************* </please add this to the warning>
*******************
====== attachment =================
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for [domain]:port has changed,
and the key for the according IP address [ip.ip.ip.ip]:port
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:...
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this
message.
Offending key in /home/user/.ssh/known_hosts:15
RSA host key for [domain]:port has changed and you have requested
strict checking.
Host key verification failed.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-19 19:35 UTC
[Bug 1426] ssh key verification hint (on remote side)
https://bugzilla.mindrot.org/show_bug.cgi?id=1426
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> 2008-01-20
06:35:25 ---
Sorry, but I think the warning is long enough already and it already
suggests the preferred way to avoid the warning (copy the actual
pubkey).
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Apr-03 23:02 UTC
[Bug 1426] ssh key verification hint (on remote side)
https://bugzilla.mindrot.org/show_bug.cgi?id=1426
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #2 from Damien Miller <djm at mindrot.org> 2008-04-04
10:02:07 ---
Close resolved bugs after release.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 523] ssh saves only host/ip information in known_hosts while port information is missing
- auto-accept keys matching DNSSEC-validated SSHFP records
- ssh-ed25519 and ecdsa-sha2-nistp256 host keys
- [Bug 3216] New: Confusing error "host key ... has changed" when connecting to a server not offering matching host key types
- [Bug 3219] New: Can't connect to a server that is using several host keys of the same type