bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-09 15:59 UTC
[Bug 1843] New: ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Summary: ssh should mention ssh-keyscan in remote host
fingerprint warning
Product: Portable OpenSSH
Version: 5.6p1
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: ssh
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: smoser at ubuntu.com
Created attachment 1972
--> https://bugzilla.mindrot.org/attachment.cgi?id=1972
patch
ssh should mention ssh-keyscan when it warns about remote host
fingerprint.
I find that many people are unaware that ssh-keygen can remove lines
from known_hosts for them.
adding a copy-and-pasteable message in the warning will make users
more aware and make it easier for them to do so.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-09 16:05 UTC
[Bug 1843] ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 --- Comment #1 from Scott Moser <smoser at ubuntu.com> 2010-12-10 03:05:26 EST --- I'd also sent this to the mailing list: http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-December/029084.html -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-09 16:30 UTC
[Bug 1843] ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Scott Moser <smoser at ubuntu.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |smoser at ubuntu.com
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-14 11:51 UTC
[Bug 1843] ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Colin Watson <cjwatson at debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1972|0 |1
is obsolete| |
--- Comment #2 from Colin Watson <cjwatson at debian.org> 2010-12-14
22:51:05 EST ---
Created attachment 1977
--> https://bugzilla.mindrot.org/attachment.cgi?id=1977
use ip/host not ip_line/host_line
I think Scott picked out the wrong version of this patch to send; -R
<ip_line> can't possibly work. Here's a corrected version.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-14 11:51 UTC
[Bug 1843] ssh should mention ssh-keyscan in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Colin Watson <cjwatson at debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cjwatson at debian.org
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-15 10:23 UTC
[Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
Summary|ssh should mention |ssh should mention
|ssh-keyscan in remote host |ssh-keygen in remote host
|fingerprint warning |fingerprint warning
--- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2010-12-15
21:23:01 EST ---
I think encouraging cut-and-pasting something in response to a key
mismatch warning instead of having peopek *thinking* about the key
change and why it changed is
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-15 10:23 UTC
[Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 --- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2010-12-15 21:23:59 EST --- (In reply to comment #3)> I think encouraging cut-and-pasting something in response to a key > mismatch warning instead of having peopek *thinking* about the key > change and why it changed isbah. "I think encouraging cut-and-pasting something in response to a key mismatch warning instead of having people *thinking* about the key change and why it changed is not a good idea" -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-15 14:48 UTC
[Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
https://bugzilla.mindrot.org/show_bug.cgi?id=1843 --- Comment #5 from Scott Moser <smoser at ubuntu.com> 2010-12-16 01:48:18 EST --- I expected the "make it hard to do so people know what they're doing response". I really don't think its all that valid. The user is still forced to take manual action, finding, selecting, and pasting the command line. The "finding" is non-trivial, and in the output message (with example below), the most obvious and important warning message still stands out. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is c5:43:dd:69:56:82:2c:30:4c:03:57:45:aa:de:26:31. Please contact your system administrator. Add correct host key in /home/smoser/.ssh/known_hosts.uec to get rid of this message. Offending key in /home/smoser/.ssh/known_hosts.uec:1 remove with: ssh-keygen -f "/home/smoser/.ssh/known_hosts.uec" -R kearney RSA host key for kearney has changed and you have requested strict checking. Host key verification failed. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [PATCH] mention ssh-keyscan in remote host fingerprint warning
- [Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
- [Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
- [Bug 1843] ssh should mention ssh-keygen in remote host fingerprint warning
- ssh-import-id