bugzilla-daemon at mindrot.org
2020-Jun-01 22:09 UTC
[Bug 3176] New: can't figure out how to test StrictHostKeyChecking accept-new
https://bugzilla.mindrot.org/show_bug.cgi?id=3176
Bug ID: 3176
Summary: can't figure out how to test StrictHostKeyChecking
accept-new
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: frederik-openssh at ofb.net
I like the idea of the "StrictHostKeyChecking accept-new" option but
when I tried to check that it works correctly, I got confused. How do I
pretend that the host key has changed? I thought it would be enough to
change the corresponding key in .ssh/known_hosts, but this just causes
a new entry to be added with the same HostKeyAlias:
# first I deleted the key from .ssh/known_hosts
$ grep TH1LmIM .ssh/known_hosts
[1]$ ssh -F /dev/null -o "StrictHostKeyChecking accept-new" -o
HostKeyAlias=foo ofb.net echo hi
Warning: Permanently added 'foo,104.197.242.163' (ECDSA) to the
list of known hosts.
hi
$ tail -n 1 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmIM
$ sed -i 's/TH1LmIM/TH1LmKM/g' .ssh/known_hosts # simulate changed
host key?
$ tail -n 1 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmKM
$ ssh -F /dev/null -o "StrictHostKeyChecking accept-new" -o
HostKeyAlias=foo ofb.net echo hi
Warning: Permanently added 'foo,104.197.242.163' (ECDSA) to the
list of known hosts.
hi
$ tail -n 2 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmKM
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmIM
So at the end I have two entries for "foo", with different host keys
(one ends with "mKM=", the other ends with "mIM="). And
OpenSSH seems
to be happy with that. What am I missing?
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-01 22:09 UTC
[Bug 3176] can't figure out how to test StrictHostKeyChecking accept-new
https://bugzilla.mindrot.org/show_bug.cgi?id=3176
frederik-openssh at ofb.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |2400
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2400
[Bug 2400] Fully refuse changed hostkeys when StrictHostKeyChecking=no
--
You are receiving this mail because:
You are watching the assignee of the bug.
Possibly Parallel Threads
- [Bug 2400] New: StrictHostKeyChecking=no behaviour on HOST_CHANGED is excessively insecure
- StrictHostKeyChecking is being ignored
- [Bug 1993] ssh tries to add keys to ~/.ssh/known_hosts though StrictHostKeyChecking yes is set
- [Bug 1993] ssh tries to add keys to ~/.ssh/known_hosts though StrictHostKeyChecking yes is set
- SCP support for -o StrictHostKeyChecking=no broken