On Sun, 4 Oct 2020, Matthieu Herrb wrote:> Hi, > > on OpenBSD-current I now get this when connecting to an existing > machine for which I have both ecdsa an ed25519 keys in my existing > known_hosts (but apparently ed25519 keys where added only for the name > previsously by ssh): > > Warning: the ED25519 host key for 'freedom' differs from the key for > the IP address '2a03:7220:8081:6101:6552:9ca8:512b:9251' > Offending key for IP in /home/matthieu/.ssh/known_hosts:53 > Matching host key in /home/matthieu/.ssh/known_hosts:131 > Are you sure you want to continue connecting (yes/no)? > > line 53 is the ecdsa key for the given address, 131 is the ed25519 key > for the name. None of the name or the IP address for freedom changed > (and the behaviour is the same with IPv4) > > If I answer 'yes' the known_hosts file is not updated. I have to > remove the ecdsa key manually to have the ed25519 key for the IP > address added automatically. > > ie : > > % ssh-keygen -R '2a03:7220:8081:6101:6552:9ca8:512b:9251' > # Host 2a03:7220:8081:6101:6552:9ca8:512b:9251 found: line 53 > /home/matthieu/.ssh/known_hosts updated. > Original contents retained as /home/matthieu/.ssh/known_hosts.old > % ssh freedom > Warning: Permanently added the ED25519 host key for IP address > '2a03:7220:8081:6101:6552:9ca8:512b:9251' to the list of known hosts. > > > I find this quite disturbing (and it breaks some non interactive > scripts). Is it the intended behaviour ?No - I think you've stumbled on a corner case I hadn't anticipated. Does your configuration override CheckHostIP at all? What are the known_hosts entries for the hostname and IP? Thanks, Damien
On Sun, 4 Oct 2020, Damien Miller wrote:> No - I think you've stumbled on a corner case I hadn't anticipated. > Does your configuration override CheckHostIP at all? > > What are the known_hosts entries for the hostname and IP?Also, do you use HashKnownHosts? or do you have any hashed host lines in known_hosts? I'll try to figure this out tomorrow morning... -d
On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote:> On Sun, 4 Oct 2020, Damien Miller wrote: > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > Does your configuration override CheckHostIP at all?No.> > > > What are the known_hosts entries for the hostname and IP? > > Also, do you use HashKnownHosts? or do you have any hashed host lines > in known_hosts?Yes I use HashKnownHosts yes Here are all the lines from my known_hosts.old that contains the public keys for this host. (the name is 'freedom' or freedom.herrb.net and IP adresses are 192.168.31.41 and 2a03:7220:8081:6101:6552:9ca8:512b:9251) |1|LDNls9zwwKUtszPxTWOn1hEP+30=|2C9Jva6DwfnWqEHHjylVV9gAfSs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|zjuSnQb3afgDzZBCywXwNiZHYuY=|fUpd/QMtdR1dwYwfDUMM1xKIhqA= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|IfXYEUvy166GATD/1980t6hR9CM=|UsUUsCnt3m0WH1X0N6sX/8tl/k8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|tOtsqSGnI+Of4l4toTHgAKKeZpI=|pWNu4KHsqq4z49vhuovYNJVE2o4= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|LDNls9zwwKUtszPxTWOn1hEP+30=|2C9Jva6DwfnWqEHHjylVV9gAfSs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|IQQcAaveFbGQNoBJdsCJAtoqKSE=|xJvFONAHNU3U2as+cdtNeP2r1es= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpmvj21EjLwEzHAlI8WWhZqT42g0mdpqfo/vFbN0FMG -- Matthieu Herrb