On Sun, Oct 04, 2020 at 10:50:32PM +1100, Damien Miller wrote:> On Sun, 4 Oct 2020, Matthieu Herrb wrote: > > > On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote: > > > On Sun, 4 Oct 2020, Damien Miller wrote: > > > > > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > > > Does your configuration override CheckHostIP at all? > > > > No. > > > > > > > > > > What are the known_hosts entries for the hostname and IP? > > > > > > Also, do you use HashKnownHosts? or do you have any hashed host lines > > > in known_hosts? > > > > Yes I use HashKnownHosts yes > > Thanks - I think that was the missing piece of the puzzle. Can you > please try this diff? It lets UpdateKnownHosts store entries for > the IP address as well as the hostname. > > diff --git a/hostfile.c b/hostfile.c > index 3dc9809..9ec9afa 100644 > --- a/hostfile.c > +++ b/hostfile.c > @@ -449,6 +449,9 @@ write_host_entry(FILE *f, const char *host, const char *ip, > else > error("%s: sshkey_write failed: %s", __func__, ssh_err(r)); > fputc('\n', f); > + /* If hashing is enabled, the IP address needs to go on its own line */ > + if (success && store_hash && ip != NULL) > + success = write_host_entry(f, ip, NULL, key, 1); > return success; > } >thanks for the patch, unfortunatly it doesn't solve the issue. ssh is still claiming that the ecdsa key present in known_hosts differs from the ed25519 key. And if I answer yes to the question known_hosts is not updated. The way to fix this is still to remove the ecdsa key from known_hosts manually. -- Matthieu Herrb
On Sun, Oct 04, 2020 at 06:41:05PM +0200, Matthieu Herrb wrote:> > thanks for the patch, unfortunatly it doesn't solve the issue. ssh is > still claiming that the ecdsa key present in known_hosts differs from > the ed25519 key. > And if I answer yes to the question known_hosts is not updated. > > The way to fix this is still to remove the ecdsa key from > known_hosts manually. >more data points. I started experimenting with '-o UserKnownHostsFile freedom' -o 'UpdateHostKeys ask' where 'freedom' is a minimal known_hosts files (with your patch applied, and hashed names / IP addresses): If only ecdsa keys are in freedom : - if both the lines for the hashed IP address and name are there, ssh connects and asks to add updated keys. It adds existing rsa (?) and ed25519 keys for both the hashed name and the IP. - if only the line for the hashed name is there, ssh adds the line with the hashed address and ecdsa key and then asks as above. - if only the line for the hashed IP address is there, ssh claims that the identity can't be established and shows me the fingerprint of the ed25519 key. if only ed2519 keys are there : - if both lines key for the hashed IP address and name are there, ssh connects. - if only the line for the name is there, ssh connects and adds a line with the hash the IP address (v4 or v6) and the ed25519 key - if only the line for the hashed IP address is there, ssh claims that the identity can't be established and shows me the fingerprint of the ed25519 key (that is in the known host with the hash of IP) If like in my original situation I have ecdsa keys for hashed hostname and IP but only the ed25519 key for the hashed host name, then ssh claims: Warning: the ED25519 host key for 'freedom' differs from the key for the IP address '2a03:7220:8081:6101:6552:9ca8:512b:9251' Offending key for IP in /home/matthieu/.ssh/freedom:4 Matching host key in /home/matthieu/.ssh/freedom:9 line 4 is the line for the ecdsa key with the hashed IP line 9 is the line for the ed25519 key with the hashed name -- Matthieu Herrb
On Sun, 4 Oct 2020, Matthieu Herrb wrote:> thanks for the patch, unfortunatly it doesn't solve the issue. ssh is > still claiming that the ecdsa key present in known_hosts differs from > the ed25519 key. > And if I answer yes to the question known_hosts is not updated. > > The way to fix this is still to remove the ecdsa key from > known_hosts manually.Please try removing the ssh-ed25519 key from known_hosts (leaving just the ECDSA lines for name and IP) and try connecting with my patch. IMO the problem is that unpatched ssh forgot to write a known_hosts entry for the host's IP address and left your known_hosts in an inconsistent state. If that fails then please send a debug trace from ssh ("ssh -vvv ...") -d
On Mon, Oct 05, 2020 at 10:18:07AM +1100, Damien Miller wrote:> On Sun, 4 Oct 2020, Matthieu Herrb wrote: > > > thanks for the patch, unfortunatly it doesn't solve the issue. ssh is > > still claiming that the ecdsa key present in known_hosts differs from > > the ed25519 key. > > And if I answer yes to the question known_hosts is not updated. > > > > The way to fix this is still to remove the ecdsa key from > > known_hosts manually. > > Please try removing the ssh-ed25519 key from known_hosts (leaving just > the ECDSA lines for name and IP) and try connecting with my patch. IMO > the problem is that unpatched ssh forgot to write a known_hosts entry > for the host's IP address and left your known_hosts in an inconsistent > state. > > If that fails then please send a debug trace from ssh ("ssh -vvv > ...")Yes that works as expected in my tests. Thanks. The problem is more that, in the default config, ssh is now refusing to connect when in addition to ecdsa keys there is alreadry an ED25519 key for the hashed host name, but no hash IP entry. The bare 8.4 ssh (from OpenBSD september 29 snapshot) does connect without asking in that situation. -- Matthieu Herrb