bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-11 12:08 UTC
[Bug 2894] New: Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Bug ID: 2894 Summary: Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes') Product: Portable OpenSSH Version: 7.7p1 Hardware: Other OS: Other Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: db+mindrot at d1b.org Set UpdateHostKeys for interactive invocations of ssh client to 'ask' by default. ( Related this request, I notice that Fabric, http://docs.fabfile.org/en/1.14/usage/ssh.html, defaults to loading and using the known_hosts file **but** reject_unknown_hosts defaults to false (so hosts that have never "been seen" are allowed) this combined with Fabric seemingly preferring an rsa host key while I had an ecdsa host key for $host would have allowed MITM attacks. ) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-11 11:35 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Colin Watson <cjwatson at debian.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cjwatson at debian.org --- Comment #1 from Colin Watson <cjwatson at debian.org> --- I ran into this recently when trying to work out how we might do host key rotation on a large SSH server. This is a code hosting site to which you can push code over SSH, usable by anyone who's given us a public key rather than limited to a single organisation, so we can't mandate any particular client setup and the host key certificate mechanisms don't really work all that well for us either. Life would be a lot easier in this kind of environment if UpdateHostKeys were on in some way by default. (We'd actually probably need it to have been on by default for a few years, and something similar to be in some other popular clients too, but you have to start somewhere.) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-11 11:38 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 --- Comment #2 from Colin Watson <cjwatson at debian.org> --- (Sorry, I submitted the last comment by accident before I'd finished writing it ...) Is there an explanation somewhere for why UpdateHostKeys is off? The best I could find was a git commit from 2015 saying "turn UpdateHostkeys off by default until I figure out mlarkin@'s warning message". And I wonder if https://bugzilla.mindrot.org/show_bug.cgi?id=2631 would also need to be fixed in order to use this in practice? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-23 00:37 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |2738 CC| |djm at mindrot.org --- Comment #3 from Damien Miller <djm at mindrot.org> --- IIRC there might be some corner cases wrt multiple keys files. It was a bit fiddly IIRC Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2738 [Bug 2738] UpdateHostKeys does not check keys in secondary known_hosts files -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-24 01:24 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Blocks| |3079 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3079 [Bug 3079] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 00:22 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Bug 2894 depends on bug 2738, which changed state. Bug 2738 Summary: UpdateHostKeys does not check keys in secondary known_hosts files https://bugzilla.mindrot.org/show_bug.cgi?id=2738 What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 00:24 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #4 from Damien Miller <djm at mindrot.org> --- Committed; will be in openssh-8.2 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:00 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #5 from Damien Miller <djm at mindrot.org> --- I've had to revert this change. It doesn't play well with certificate host keys and I'm unsure of the interaction with @revoked lines in known_hosts. Both these need to be fixed before it gets enabled again. I plan to do this early in the 8.3 release cycle to give it as long as possible to bake. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:44 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3117 --- Comment #6 from Damien Miller <djm at mindrot.org> --- Prepare for 8.2 release; retarget bugs Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3117 [Bug 3117] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:45 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3079 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3079 [Bug 3079] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-May-08 03:38 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3162 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-May-08 03:39 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3117 | --- Comment #7 from Damien Miller <djm at mindrot.org> --- Retarget bugs to 8.4 release Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3117 [Bug 3117] Tracking bug for 8.3 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-02 04:49 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3217 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-02 04:52 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3162 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:47 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3270 --- Comment #8 from Damien Miller <djm at mindrot.org> --- retarget to 8.6 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3270 [Bug 3270] Tracking bug for 8.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:50 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3217 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-05 10:46 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #9 from Jakub Jelen <jjelen at redhat.com> --- AFAIK this was addressed in OpenSSH 8.5p1 https://www.openssh.com/txt/release-8.5 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:49 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3302 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3302 [Bug 3302] Tracking bug for openssh-8.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:50 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 --- Comment #10 from Damien Miller <djm at mindrot.org> --- retarget after 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:51 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3270 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3270 [Bug 3270] Tracking bug for 8.6 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jul-02 04:02 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|REOPENED |RESOLVED --- Comment #11 from Damien Miller <djm at mindrot.org> --- The last release enabled UpdateHostkeys by default under most circumstances -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:59 UTC
[Bug 2894] Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
https://bugzilla.mindrot.org/show_bug.cgi?id=2894 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #12 from Damien Miller <djm at mindrot.org> --- closing bugs resolved before openssh-8.9 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Possibly Parallel Threads
- [Bug 2738] New: UpdateHostKeys does not check keys in secondary known_hosts files
- [Bug 3079] New: Tracking bug for 8.2 release
- UpdateHostkeys now enabled by default
- UpdateHostkeys now enabled by default
- [Bug 2846] New: PermitOpen rule in sshd_config is not case insensitive