I have confirmed this behavior from OpenSSH 6.6 in OS X (from MacPorts) and 6.6 in Ubuntu. I have set up a SSH Certificate authority, and as such I put in the following line at the top of my known_hosts file @cert-authority *.mydomain.com ssh-rsa <public key> Below this are all my hashed entries for various other hosts that I?ve contacted over the years. Every once in a while I?ll rebuild a box in my environment, and the ssh key will change. To clean up my known_hosts file to allow me to re-insert the new entry, I will do ssh-keygen -R <ip>. This has the unintended consequence of matching on the offending entry in the known_hosts file *and* my cert-authority entry: $ ssh-keygen -R 10.50.3.149 # Host 10.50.3.149 found: line 1 type RSA # Host 10.50.3.149 found: line 512 type ECDSA /Users/mlindgren/.ssh/known_hosts updated. Original contents retained as /Users/mlindgren/.ssh/known_hosts.old Am I missing something fundamental here? Thanks, Mattias
On Wed, 7 May 2014, Mattias Lindgren wrote:> Every once in a while I?ll rebuild a box in my environment, and the > ssh key will change. To clean up my known_hosts file to allow me to > re-insert the new entry, I will do ssh-keygen -R <ip>. This has the > unintended consequence of matching on the offending entry in the > known_hosts file *and* my cert-authority entry: > > $ ssh-keygen -R 10.50.3.149 > # Host 10.50.3.149 found: line 1 type RSA > # Host 10.50.3.149 found: line 512 type ECDSA > /Users/mlindgren/.ssh/known_hosts updated. > Original contents retained as /Users/mlindgren/.ssh/known_hosts.old > > Am I missing something fundamental here?No, that's a bug. Could you file it at https://bugzilla.mindrot.org/ ? -d
Reasonably Related Threads
- [Bug 2241] New: ssh-keygen -R removes matching key as well as @cert-authority
- [Debian bug 781107] ssh-keygen -F return code has changed and is not documented
- [Bug 2145] New: ssh-keygen -R doesn't work when there are entries for "proxycommand" keys
- [Bug 2591] New: ssh-keygen -R is case-sensitive, but should not be
- ssh-keygen listing fingerprints little unclear