Hi, I created new host keys on serverA, updated sshd_config accordingly (adding the line below) and restarted ssh: cd /etc/ssh sudo ssh-keygen -f 2024_ssh_host_ed25519_key -t ed25519 -N '' sudo vi /etc/ssh/sshd_config # added line: HostKey /etc/ssh/2024_ssh_host_ed25519_key sudo service ssh restart When I connect to serverA (`ssh -v -o UpdateHostKeys=yes serverA`) afterwards, known_hosts on the client is not updated. The output of the ssh command contains this: debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key. # ... debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts for [serverA.domain.internal]:22 / (none) debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts2 for [serverA.domain.internal]:22 / (none) debug1: client_input_hostkeys: hostkeys file /Users/snafu/.ssh/known_hosts2 does not exist debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update The last message is slightly ambiguous ? it could be interpreted as the new host key having been found in known_hosts for a different host (which is almost impossible, as I created it on serverA one hour ago), or that old host key(s) for serverA (which are obviously present in known_hosts) somehow interfered with the file update. The second interpretation is probably correct, but I fail to see what the problem could be. - Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20241013/b50f8458/attachment.asc>
Damien Miller
2024-Oct-14 03:48 UTC
Re: SSH host key rotation – known_hosts file not updated
On Sun, 13 Oct 2024, Jan Eden via openssh-unix-dev wrote:> Hi, > > I created new host keys on serverA, updated sshd_config accordingly > (adding the line below) and restarted ssh: > > cd /etc/ssh > sudo ssh-keygen -f 2024_ssh_host_ed25519_key -t ed25519 -N '' > > sudo vi /etc/ssh/sshd_config > # added line: HostKey /etc/ssh/2024_ssh_host_ed25519_key > > sudo service ssh restart > > > When I connect to serverA (`ssh -v -o UpdateHostKeys=yes serverA`) > afterwards, known_hosts on the client is not updated. The output of the > ssh command contains this: > > debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key. > # ... > debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts for [serverA.domain.internal]:22 / (none) > debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts2 for [serverA.domain.internal]:22 / (none) > debug1: client_input_hostkeys: hostkeys file /Users/snafu/.ssh/known_hosts2 does not exist > debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update > > The last message is slightly ambiguous ? it could be interpreted as the > new host key having been found in known_hosts for a different host > (which is almost impossible, as I created it on serverA one hour ago), > or that old host key(s) for serverA (which are obviously present in > known_hosts) somehow interfered with the file update. The second > interpretation is probably correct, but I fail to see what the problem > could be.It's hard to figure out what is going on here without seeing the full debug trace and the contents of the known_hosts file. One weird thing is this:> debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key.ssh doesn't usually decorate the hostname with port numbers like this for the default port 22. Did you redact the output? Anyway, in answer to your question. The "host key found matching a different name/address" is triggered when a key received from the server in an update already exists under a different name. If you turn the debugging level up, then you'll see the name(s) that it matches too: 2100 if (sshkey_equal(l->key, ctx->keys[i])) { 2101 ctx->other_name_seen = 1; 2102 debug3_f("found %s key under different " 2103 "name/addr at %s:%ld", 2104 sshkey_ssh_name(ctx->keys[i]), 2105 l->path, l->linenum); 2106 return 0; 2107 } 2108 } -d