-stable: I just updated my workstation from 10.0 to 10.1. Now, ssh is prompting me to accept host keys that I accepted long ago. ssh is looking for the host key in known_hosts using the name given on the command line; it previously used the FQDN. ssh-keygen -F confirms that known_hosts has the same key for the FQDN. If I recall correctly, using the FQDN in known_hosts was a FreeBSD customization. Did this get dropped during the OpenSSH update? Thanks in advance. Eric
On 11/02/2015 22:03, Eric van Gyzen wrote:> I just updated my workstation from 10.0 to 10.1. Now, ssh is prompting > me to accept host keys that I accepted long ago. ssh is looking for the > host key in known_hosts using the name given on the command line; it > previously used the FQDN. ssh-keygen -F confirms that known_hosts has > the same key for the FQDN. > > If I recall correctly, using the FQDN in known_hosts was a FreeBSD > customization. Did this get dropped during the OpenSSH update?It's a different type of SSH key. The new default in 10.1 is to use ECDSA keys (identified typically as ecdsa-sha2-nistp256 in known_hosts), when available, and it's those that SSH is prompting you about. As distinct from the DSA and RSA keys you'll have had in your known_hosts for donkey's years. You can suppress the prompts about new keys by adding appropriate SSHFP records to your DNS, although you should be running with DNSSEC enabled if you choose to do that. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 971 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150211/56882696/attachment.sig>
On 2/11/15 5:03 PM, Eric van Gyzen wrote:> -stable: > > I just updated my workstation from 10.0 to 10.1. Now, ssh is prompting > me to accept host keys that I accepted long ago. ssh is looking for the > host key in known_hosts using the name given on the command line; it > previously used the FQDN. ssh-keygen -F confirms that known_hosts has > the same key for the FQDN. > > If I recall correctly, using the FQDN in known_hosts was a FreeBSD > customization. Did this get dropped during the OpenSSH update?As it turns out, OpenSSH 6.5 or 6.6 added a hostname canonicalization feature that--as I understand--should make FreeBSD's customization obsolete. Based on the description in ssh_config, the following should behave as ssh did in 10.0: ssh -o 'CanonicalizeHostname yes' -o 'CanonicalizeFallbackLocal yes' short-name However, it doesn't find the host key, because it's looking for the short-name, not the FQDN: The authenticity of host 'short-name (192.0.2.42)' can't be established. Can anyone else confirm this behavior? Eric