openssh bugs - May 2014 - [Bug 2241] New: ssh-keygen -R removes matching key as well as @cert-authority

https://bugzilla.mindrot.org/show_bug.cgi?id=2241

            Bug ID: 2241
           Summary: ssh-keygen -R removes matching key as well as
                    @cert-authority
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mlindgren at runelind.net

I have confirmed this behavior from OpenSSH 6.6 in OS X (from MacPorts)
and 6.6 in Ubuntu.  I have set up a SSH Certificate authority, and as
such I put in the following line at the top of my known_hosts file

@cert-authority *.mydomain.com ssh-rsa <public key>

Below this are all my hashed entries for various other hosts that I've
contacted over the years.  


If I do ssh-keygen -R <ip> it has the unintended consequence of
matching on the offending entry in the known_hosts file *and* my
cert-authority entry:

$ ssh-keygen -R 10.50.3.149
# Host 10.50.3.149 found: line 1 type RSA <--This is my cert-authority
# Host 10.50.3.149 found: line 512 type ECDSA
/Users/mlindgren/.ssh/known_hosts updated.
Original contents retained as /Users/mlindgren/.ssh/known_hosts.old

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2241

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 2447
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2447&action=edit
preserve markers when hashing/removing known_hosts

Yes, it also barfs on @revoked keys.

This patch should fix it, but the code is a tangled mess and should be
more broadly refactored.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2241

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2226

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2241

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
patch applied - this will be in openssh-6.7. Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2241

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2241

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close all bugs left open from 6.6 and 6.7 releases.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.