bugzilla-daemon at mindrot.org
2020-Sep-29 18:31 UTC
[Bug 3216] New: Confusing error "host key ... has changed" when connecting to a server not offering matching host key types
https://bugzilla.mindrot.org/show_bug.cgi?id=3216 Bug ID: 3216 Summary: Confusing error "host key ... has changed" when connecting to a server not offering matching host key types Product: Portable OpenSSH Version: 7.9p1 Hardware: ARM64 OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: jatjasjem at gmail.com I'm trying to connect to a server that I previously connected to. The last time I connected to it, ssh used its ECDSA key for host verification. This is the only key in my known hosts file: $ cat ~/.ssh/known_hosts | awk '{print $2}' | uniq ecdsa-sha2-nistp256 The server is no longer offering this key. This is what I get when I try to connect now: $ ssh user at host -p 23 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is SHA256:VzEhMh3aw2lqAsZSdLbYJAhwW4yIgUxCRotrMoWqzT9. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/user/.ssh/known_hosts:1 remove with: ssh-keygen -f "/home/user/.ssh/known_hosts" -R "[host]:23" RSA host key for [host]:23 has changed and you have requested strict checking. Host key verification failed. I am expecting to get this warning, but the penultimate line sounds wrong to me. From the point of view of ssh, "RSA host key" shouldn't appear changed; it didn't know anything about it at all. In fact, the actual RSA key on the server never changed. What changed was the type of key offered by the server. I think the error message should reflect that. To reproduce, run /usr/sbin/sshd -ddd -p 23 -oHostKeyAlgorithms=ecdsa-sha2-nistp256 Connect to let ssh remember the key, then run /usr/sbin/sshd -ddd -p 23 -oHostKeyAlgorithms=rsa-sha2-256 Connect again and observe the error -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 03:00 UTC
[Bug 3216] Confusing error "host key ... has changed" when connecting to a server not offering matching host key types
https://bugzilla.mindrot.org/show_bug.cgi?id=3216 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org CC| |djm at mindrot.org, | |dtucker at dtucker.net Attachment #3455| |ok?(dtucker at dtucker.net) Flags| | --- Comment #1 from Damien Miller <djm at mindrot.org> --- Created attachment 3455 --> https://bugzilla.mindrot.org/attachment.cgi?id=3455&action=edit Do not prefix "host key changed" message with potentially incorrect key type Yes, the key type in that error should not be there. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 03:00 UTC
[Bug 3216] Confusing error "host key ... has changed" when connecting to a server not offering matching host key types
https://bugzilla.mindrot.org/show_bug.cgi?id=3216 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3217 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 03:25 UTC
[Bug 3216] Confusing error "host key ... has changed" when connecting to a server not offering matching host key types
https://bugzilla.mindrot.org/show_bug.cgi?id=3216 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3455|ok?(dtucker at dtucker.net) |ok+ Flags| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-27 03:21 UTC
[Bug 3216] Confusing error "host key ... has changed" when connecting to a server not offering matching host key types
https://bugzilla.mindrot.org/show_bug.cgi?id=3216 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #2 from Damien Miller <djm at mindrot.org> --- This has been committed and will be in OpenSSH 8.5 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:52 UTC
[Bug 3216] Confusing error "host key ... has changed" when connecting to a server not offering matching host key types
https://bugzilla.mindrot.org/show_bug.cgi?id=3216 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Maybe Matching Threads
- [Bug 3219] New: Can't connect to a server that is using several host keys of the same type
- DSA key not accepted on CentOS even after enabling
- DSA key not accepted on CentOS even after enabling
- ssh-ed25519 and ecdsa-sha2-nistp256 host keys
- ssh-ed25519 and ecdsa-sha2-nistp256 host keys