bugzilla-daemon at bugzilla.mindrot.org
2018-Nov-01 12:55 UTC
[Bug 2924] New: Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924
Bug ID: 2924
Summary: Order a limited host keys list in client based on the
known hosts
Product: Portable OpenSSH
Version: 7.7p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3198
--> https://bugzilla.mindrot.org/attachment.cgi?id=3198&action=edit
possibility to order host keys in client
The HostKeyAlgorithms option in the client has a difference from all
the other algorithm limiting options that should be sorted according to
the list of known hosts available. This works fine out of the box with
default negotiated list, but when one tries to limit (or extend) the
algorithm list to something else than default, the ordering is turned
off and one can simply hit the hostkey changed, even though it did not
change at all (only different one is offered for a connection).
There is attached proposed patch to implement new configuration option
HostKeyAlgorithmsOrder, which will turn on sorting also on the
user-provided list of host keys.
Other possibility to resolve this problem would be to introduce another
configuration option HostKeyAlgorithmsAllow or similar, which would
have this semantics (would be ordered before the algorithm
negotiation).
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Nov-02 15:16 UTC
[Bug 2924] Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924
Tomas Mraz <t8m at centrum.cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |t8m at centrum.cz
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-22 12:07 UTC
[Bug 2924] Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I'm kinda loath to add another option. Maybe another magic character,
e.g. HostKeyAlgorithms=:ssh-ed25519,ssh-rsa etc to specify a list
ordered by the known host keys?
(i mean, it's ugly but so it yet another option...)
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-22 12:13 UTC
[Bug 2924] Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924 --- Comment #2 from Jakub Jelen <jjelen at redhat.com> --- Thank you for the suggestion. This would also solve the original problem. Not sure about the character as ":", but "~" might work as "approximate" list? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Aug-29 09:45 UTC
[Bug 2924] Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3198|0 |1
is obsolete| |
--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 3313
--> https://bugzilla.mindrot.org/attachment.cgi?id=3313&action=edit
Introduce a new modifier for HostKeyAlgorithms to allow ordering
Damien, I rewrote the patch to use the colon prefix notation to
signalize the same. Would it work this way for you?
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 13:37 UTC
[Bug 2924] Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924 --- Comment #4 from Damien Miller <djm at mindrot.org> --- OpenSSH 8.2 will enable UpdateHostKeys by default. IMO this goes some way to avoiding this problem. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-27 12:33 UTC
[Bug 2924] Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924 --- Comment #5 from Jakub Jelen <jjelen at redhat.com> --- Right. After the first successful authentication, the client will learn all the server host keys and we should be able to validate whatever key server provides according to our preference. But getting over the first connection can still problem and it is hard to guess how long it can take to make sure the users already connected at least once to the particular host to be safe to roll out this change. Therefore I see the UpdateHostKeys as a good addition, but the attached patch would still significantly simplify the migration path and decrease user frustration when dealing with failed host key checking. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Sep-30 18:54 UTC
[Bug 2924] Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924
jatjasjem at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jatjasjem at gmail.com
--- Comment #6 from jatjasjem at gmail.com ---
i might be hitting this issue, can someone confirm that this it the
same one or i might want to open another one?
if i run this on default configuration and accept the RSA key:
rm ~/.ssh/known_hosts
ssh user at localhost -oHostKeyAlgorithms=rsa-sha2-512
then this works:
ssh user at localhost
this also works:
ssh user at localhost -oHostKeyAlgorithms=rsa-sha2-512,ssh-ed25519
this doesn't work:
ssh user at localhost -oHostKeyAlgorithms=ssh-ed25519,rsa-sha2-512
now edit ssh_config, setting HostKeyAlgorithms to the *default* value
from man ssh_config. then this also doesn't work:
ssh user at localhost
this behavior is very unexpected and at the very least should be
mentioned in the manual?
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Jan-03 21:55 UTC
[Bug 2924] Order a limited host keys list in client based on the known hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2924
Kenyon Ralph <kenyon at kenyonralph.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kenyon at kenyonralph.com
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.