Steffen Nurpmeso
2015-Oct-09 16:50 UTC
Permanently added hostkeys (due to IP address pool), without confirmation
Hello, maybe someone could please help and shed some light on a problem that i don't understand, and that even in multiple ways. The problem occurred three or four times over the past months (maybe half a year?) and manifests as ++ Pushing to "gitlab" (at least "master" differs)! Warning: Permanently added the RSA host key for IP address '104.46.105.89' to the list of known hosts. I get no confirmation prompt, which i normally do?! Of course i do have a configuration file with an UserKnownHostsFile ~/arena/data/ssh/known_hosts entry, and that already has a gitlab.com,54.93.71.23 DATA line for months. I do have a "Host" entry for "*gitlab.org" (with explicit IdentityFile). The entry in known_hosts that i (hope to have confirmed correctly back then) is not identical with the other two entries, but which are, except for the addresses --- k.1 2015-10-09 18:09:10.511793883 +0200 +++ k.2 2015-10-09 18:09:26.508373888 +0200 @@ -1,2 +1,2 @@ -52.21.36.51 +104.46.105.89 ssh-rsa ... I understand that the keys in k.1 and k.2 are the same that ssh-keyscan(1) gives me, whereas the address i verified does currently give no ssh-keyscan result at all. (I verified it back in the day in that i was able to login after placing my public key at their server via a HTTPS connection after i had created my account. I'm no expert in mathematics or the SSH protocols, but i'm confident as only a greenhorn or real expert can be.) So: no confirmation prompt, no hostname but only the address for the entry in known_hosts even though the connection is to gitlab.com (they're appended though), and multiple entries with the same key. I'm on "OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015". Thank you in advance for any hint, ciao, --steffen
Damien Miller
2015-Oct-09 22:00 UTC
Permanently added hostkeys (due to IP address pool), without confirmation
On Fri, 9 Oct 2015, Steffen Nurpmeso wrote:> Hello, > > maybe someone could please help and shed some light on a problem > that i don't understand, and that even in multiple ways. > The problem occurred three or four times over the past months > (maybe half a year?) and manifests as > > ++ Pushing to "gitlab" (at least "master" differs)! > Warning: Permanently added the RSA host key for IP address '104.46.105.89' to the list of known hosts. > > I get no confirmation prompt, which i normally do?! > Of course i do have a configuration file with an > > UserKnownHostsFile ~/arena/data/ssh/known_hosts > > entry, and that already has a > > gitlab.com,54.93.71.23 DATA > > line for months. I do have a "Host" entry for "*gitlab.org" (with > explicit IdentityFile). The entry in known_hosts that i (hope to > have confirmed correctly back then) is not identical with the > other two entries, but which are, except for the addresses > > --- k.1 2015-10-09 18:09:10.511793883 +0200 > +++ k.2 2015-10-09 18:09:26.508373888 +0200 > @@ -1,2 +1,2 @@ > -52.21.36.51 > +104.46.105.89 > ssh-rsa ...You have CheckHostIP enabled (it is on by default) and some DNS server or hosts file is returning 104.46.105.89 for that hostname. When ssh connects to 104.46.105.89, it is offering the same key as you have already learned for 52.21.36.51, so it is automatically added to known_hosts. See ssh_config's entry on CheckHostIP for a few more details. -d
Steffen Nurpmeso
2015-Oct-10 11:22 UTC
Permanently added hostkeys (due to IP address pool), without confirmation
Damien Miller <djm at mindrot.org> wrote: |On Fri, 9 Oct 2015, Steffen Nurpmeso wrote: |You have CheckHostIP enabled (it is on by default) and some DNS server |or hosts file is returning 104.46.105.89 for that hostname. When ssh |connects to 104.46.105.89, it is offering the same key as you have |already learned for 52.21.36.51, so it is automatically added to |known_hosts. | |See ssh_config's entry on CheckHostIP for a few more details. Yes (through default). Ok that explains the missing confirmation. It's pretty clear from the manual, thank you. --steffen
Possibly Parallel Threads
- Human readable .ssh/known_hosts?
- [EXT] Re: dovecot-SASL for Postfix: EXTERNAL does not work.
- [Bug 2631] New: Hostkey update and rotation - No IP entries added to known_hosts
- dovecot-SASL for Postfix: EXTERNAL does not work.
- UpdateHostkeys now enabled by default