openssh bugs - Jul 2017 - [Bug 2742] New: Improve -R option, allow to purge all similar keys

https://bugzilla.mindrot.org/show_bug.cgi?id=2742

            Bug ID: 2742
           Summary: Improve -R option, allow to purge all similar keys
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mindrot at dstoecker.de

When a server key changed openssh prints a warning that the key has
changed and also prints a commandline to purge old key from known_hosts
when the change is correct.

This commandline always only purges the key for the hostname you
currently try.

But there usually are at least two entries - one for host and one for
the IP. For dual stack there are at least 3. For dynamic IP there may
be hundreds.

It's a lot of manual work to find all the other keys and purge them as
well.

It would be very fine, if the -R command would simply ask if any key
with the same key data should be purged as well (together with the
number of entries). That would speed up the cleanup process a lot.

P.S. It would also be a good idea when I could tell SSH to don't make
the automatic IP based entries for certain (dynamic IP) hosts.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2742

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #1 from Jakub Jelen <jjelen at redhat.com>
---
> also prints a commandline to purge old key from known_hosts when the change
is correct.
OpenSSH does not print that line. It is a Debian addition [1].

I don't think ssh-keygen should resolve the hostname to IP address and
remove also that lines.


[1]
https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/mention-ssh-keygen-on-keychange.patch

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2742

--- Comment #2 from Dirk St?cker <mindrot at dstoecker.de>
---
> OpenSSH does not print that line. It is a Debian addition [1].
Seems openSUSE copied this patch. Maybe it should find its way into the
official tool ;-)
> I don't think ssh-keygen should resolve the hostname to IP address and
remove also that lines.
That's NOT what I proposed. This would not work always anyway (dynamic
IPs again or otherwise changed IPs or switch from a dual stack network
to a IPV4 or ...).

What I propose is to offer to delete all keys with "the same key
data".
As the host key changed any entry with the same key data very likely is
obsolete as well. There may be cases when this is not true (e.g.
different hosts using the same key), so it should be optional.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2742

rink at initfour.nl changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rink at initfour.nl

--- Comment #3 from rink at initfour.nl ---
I'd also like to see this feature be added.

Matching on lines with the same key data should work and be
straightforward.

+1 for making it optional ... although the only edge case I can think
of 'different hosts using the same key' sounds like a bad practice.

I'm glad to have found this bug before creating a duplicate or asking
on the mailing list.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.