bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-09 15:59 UTC
[Bug 1843] New: ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Summary: ssh should mention ssh-keyscan in remote host fingerprint warning Product: Portable OpenSSH Version: 5.6p1 Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: smoser at ubuntu.com Created attachment 1972 --> https://bugzilla.mindrot.org/attachment.cgi?id=1972 patch ssh should mention ssh-keyscan when it warns about remote host fingerprint. I find that many people are unaware that ssh-keygen can remove lines from known_hosts for them. adding a copy-and-pasteable message in the warning will make users more aware and make it easier for them to do so. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-09 16:05 UTC
[Bug 1843] ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 --- Comment #1 from Scott Moser <smoser at ubuntu.com> 2010-12-10 03:05:26 EST --- I'd also sent this to the mailing list: http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-December/029084.html -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-09 16:30 UTC
[Bug 1843] ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Scott Moser <smoser at ubuntu.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |smoser at ubuntu.com -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-14 11:51 UTC
[Bug 1843] ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Colin Watson <cjwatson at debian.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1972|0 |1 is obsolete| | --- Comment #2 from Colin Watson <cjwatson at debian.org> 2010-12-14 22:51:05 EST --- Created attachment 1977 --> https://bugzilla.mindrot.org/attachment.cgi?id=1977 use ip/host not ip_line/host_line I think Scott picked out the wrong version of this patch to send; -R <ip_line> can't possibly work. Here's a corrected version. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-14 11:51 UTC
[Bug 1843] ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Colin Watson <cjwatson at debian.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cjwatson at debian.org -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-15 10:23 UTC
[Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Summary|ssh should mention |ssh should mention |ssh-keyscan in remote host |ssh-keygen in remote host |fingerprint warning |fingerprint warning --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2010-12-15 21:23:01 EST --- I think encouraging cut-and-pasting something in response to a key mismatch warning instead of having peopek *thinking* about the key change and why it changed is -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-15 10:23 UTC
[Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 --- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2010-12-15 21:23:59 EST --- (In reply to comment #3)> I think encouraging cut-and-pasting something in response to a key > mismatch warning instead of having peopek *thinking* about the key > change and why it changed isbah. "I think encouraging cut-and-pasting something in response to a key mismatch warning instead of having people *thinking* about the key change and why it changed is not a good idea" -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-15 14:48 UTC
[Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 --- Comment #5 from Scott Moser <smoser at ubuntu.com> 2010-12-16 01:48:18 EST --- I expected the "make it hard to do so people know what they're doing response". I really don't think its all that valid. The user is still forced to take manual action, finding, selecting, and pasting the command line. The "finding" is non-trivial, and in the output message (with example below), the most obvious and important warning message still stands out. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is c5:43:dd:69:56:82:2c:30:4c:03:57:45:aa:de:26:31. Please contact your system administrator. Add correct host key in /home/smoser/.ssh/known_hosts.uec to get rid of this message. Offending key in /home/smoser/.ssh/known_hosts.uec:1 remove with: ssh-keygen -f "/home/smoser/.ssh/known_hosts.uec" -R kearney RSA host key for kearney has changed and you have requested strict checking. Host key verification failed. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [PATCH] mention ssh-keyscan in remote host fingerprint warning
- [Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
- [Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
- [Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
- ssh-import-id