On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote:> On Sun, 4 Oct 2020, Damien Miller wrote: > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > Does your configuration override CheckHostIP at all?No.> > > > What are the known_hosts entries for the hostname and IP? > > Also, do you use HashKnownHosts? or do you have any hashed host lines > in known_hosts?Yes I use HashKnownHosts yes Here are all the lines from my known_hosts.old that contains the public keys for this host. (the name is 'freedom' or freedom.herrb.net and IP adresses are 192.168.31.41 and 2a03:7220:8081:6101:6552:9ca8:512b:9251) |1|LDNls9zwwKUtszPxTWOn1hEP+30=|2C9Jva6DwfnWqEHHjylVV9gAfSs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|zjuSnQb3afgDzZBCywXwNiZHYuY=|fUpd/QMtdR1dwYwfDUMM1xKIhqA= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|IfXYEUvy166GATD/1980t6hR9CM=|UsUUsCnt3m0WH1X0N6sX/8tl/k8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|tOtsqSGnI+Of4l4toTHgAKKeZpI=|pWNu4KHsqq4z49vhuovYNJVE2o4= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|LDNls9zwwKUtszPxTWOn1hEP+30=|2C9Jva6DwfnWqEHHjylVV9gAfSs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF2yT8wIR716QLjlhgLO3XGvFB7QHxguK2UXaFoVFEgQwRHpi5aLRjT3eENZNYHDUj/Nr4wFWDrOW1whtU+CxkM|1|IQQcAaveFbGQNoBJdsCJAtoqKSE=|xJvFONAHNU3U2as+cdtNeP2r1es= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpmvj21EjLwEzHAlI8WWhZqT42g0mdpqfo/vFbN0FMG -- Matthieu Herrb
On Sun, 4 Oct 2020, Matthieu Herrb wrote:> On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote: > > On Sun, 4 Oct 2020, Damien Miller wrote: > > > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > > Does your configuration override CheckHostIP at all? > > No. > > > > > > > What are the known_hosts entries for the hostname and IP? > > > > Also, do you use HashKnownHosts? or do you have any hashed host lines > > in known_hosts? > > Yes I use HashKnownHosts yesThanks - I think that was the missing piece of the puzzle. Can you please try this diff? It lets UpdateKnownHosts store entries for the IP address as well as the hostname. diff --git a/hostfile.c b/hostfile.c index 3dc9809..9ec9afa 100644 --- a/hostfile.c +++ b/hostfile.c @@ -449,6 +449,9 @@ write_host_entry(FILE *f, const char *host, const char *ip, else error("%s: sshkey_write failed: %s", __func__, ssh_err(r)); fputc('\n', f); + /* If hashing is enabled, the IP address needs to go on its own line */ + if (success && store_hash && ip != NULL) + success = write_host_entry(f, ip, NULL, key, 1); return success; }
On Sun, Oct 04, 2020 at 10:50:32PM +1100, Damien Miller wrote:> On Sun, 4 Oct 2020, Matthieu Herrb wrote: > > > On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote: > > > On Sun, 4 Oct 2020, Damien Miller wrote: > > > > > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > > > Does your configuration override CheckHostIP at all? > > > > No. > > > > > > > > > > What are the known_hosts entries for the hostname and IP? > > > > > > Also, do you use HashKnownHosts? or do you have any hashed host lines > > > in known_hosts? > > > > Yes I use HashKnownHosts yes > > Thanks - I think that was the missing piece of the puzzle. Can you > please try this diff? It lets UpdateKnownHosts store entries for > the IP address as well as the hostname. > > diff --git a/hostfile.c b/hostfile.c > index 3dc9809..9ec9afa 100644 > --- a/hostfile.c > +++ b/hostfile.c > @@ -449,6 +449,9 @@ write_host_entry(FILE *f, const char *host, const char *ip, > else > error("%s: sshkey_write failed: %s", __func__, ssh_err(r)); > fputc('\n', f); > + /* If hashing is enabled, the IP address needs to go on its own line */ > + if (success && store_hash && ip != NULL) > + success = write_host_entry(f, ip, NULL, key, 1); > return success; > } >thanks for the patch, unfortunatly it doesn't solve the issue. ssh is still claiming that the ecdsa key present in known_hosts differs from the ed25519 key. And if I answer yes to the question known_hosts is not updated. The way to fix this is still to remove the ecdsa key from known_hosts manually. -- Matthieu Herrb