bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-11 12:08 UTC
[Bug 2894] New: Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Bug ID: 2894
Summary: Set UpdateHostKeys for interactive sessions to 'ask'
(or consider defaulting to 'yes')
Product: Portable OpenSSH
Version: 7.7p1
Hardware: Other
OS: Other
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: db+mindrot at d1b.org
Set UpdateHostKeys for interactive invocations of ssh client to 'ask'
by default.
( Related this request, I notice that Fabric,
http://docs.fabfile.org/en/1.14/usage/ssh.html, defaults to loading and
using the known_hosts file **but** reject_unknown_hosts defaults to
false (so hosts that have never "been seen" are allowed) this combined
with Fabric seemingly preferring an rsa host key while I had an ecdsa
host key for $host would have allowed MITM attacks. )
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-11 11:35 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Colin Watson <cjwatson at debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cjwatson at debian.org
--- Comment #1 from Colin Watson <cjwatson at debian.org> ---
I ran into this recently when trying to work out how we might do host
key rotation on a large SSH server. This is a code hosting site to
which you can push code over SSH, usable by anyone who's given us a
public key rather than limited to a single organisation, so we can't
mandate any particular client setup and the host key certificate
mechanisms don't really work all that well for us either.
Life would be a lot easier in this kind of environment if
UpdateHostKeys were on in some way by default. (We'd actually probably
need it to have been on by default for a few years, and something
similar to be in some other popular clients too, but you have to start
somewhere.)
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-11 11:38 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 --- Comment #2 from Colin Watson <cjwatson at debian.org> --- (Sorry, I submitted the last comment by accident before I'd finished writing it ...) Is there an explanation somewhere for why UpdateHostKeys is off? The best I could find was a git commit from 2015 saying "turn UpdateHostkeys off by default until I figure out mlarkin@'s warning message". And I wonder if https://bugzilla.mindrot.org/show_bug.cgi?id=2631 would also need to be fixed in order to use this in practice? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-23 00:37 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |2738
CC| |djm at mindrot.org
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
IIRC there might be some corner cases wrt multiple keys files. It was a
bit fiddly IIRC
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2738
[Bug 2738] UpdateHostKeys does not check keys in secondary known_hosts
files
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-24 01:24 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Blocks| |3079
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3079
[Bug 3079] Tracking bug for 8.2 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 00:22 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Bug 2894 depends on bug 2738, which changed state.
Bug 2738 Summary: UpdateHostKeys does not check keys in secondary known_hosts
files
https://bugzilla.mindrot.org/show_bug.cgi?id=2738
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 00:24 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Committed; will be in openssh-8.2
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:00 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
I've had to revert this change.
It doesn't play well with certificate host keys and I'm unsure of the
interaction with @revoked lines in known_hosts.
Both these need to be fixed before it gets enabled again. I plan to do
this early in the 8.3 release cycle to give it as long as possible to
bake.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:44 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3117
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Prepare for 8.2 release; retarget bugs
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.2 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:45 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3079 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3079
[Bug 3079] Tracking bug for 8.2 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-May-08 03:38 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3162
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-May-08 03:39 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3117 |
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Retarget bugs to 8.4 release
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.3 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-02 04:49 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3217
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-02 04:52 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3162 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:47 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3270
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
retarget to 8.6
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3270
[Bug 3270] Tracking bug for 8.6 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:50 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3217 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-05 10:46 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #9 from Jakub Jelen <jjelen at redhat.com> ---
AFAIK this was addressed in OpenSSH 8.5p1
https://www.openssh.com/txt/release-8.5
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:49 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3302
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3302
[Bug 3302] Tracking bug for openssh-8.7
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:50 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 --- Comment #10 from Damien Miller <djm at mindrot.org> --- retarget after 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:51 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|3270 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3270
[Bug 3270] Tracking bug for 8.6 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jul-02 04:02 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|REOPENED |RESOLVED
--- Comment #11 from Damien Miller <djm at mindrot.org> ---
The last release enabled UpdateHostkeys by default under most
circumstances
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:59 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #12 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 2738] New: UpdateHostKeys does not check keys in secondary known_hosts files
- [Bug 3079] New: Tracking bug for 8.2 release
- UpdateHostkeys now enabled by default
- UpdateHostkeys now enabled by default
- [Bug 2846] New: PermitOpen rule in sshd_config is not case insensitive