search for: hashknownhost

https://bugzilla.mindrot.org/show_bug.cgi?id=3703 Bug ID: 3703 Summary: HashKnownHost deprecation Product: Portable OpenSSH Version: 9.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter...

Hi folks, maybe I am too blind to see, but would it be possible to avoid extra entries in known_hosts, if the remote host has a signed public key matching a @cert-authority line? Something like Host * HashKnownHosts unsigned This could help to keep the known_hosts file small and yet get all the unsigned public keys in. Just a suggestion, of course. Regards Harri

https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Summary: document that HashKnownHosts may break tab-completion Product: Portable OpenSSH Version: 5.3p1 Platform: Other URL: http://bugs.debian.org/430154 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh As...

...Oct 2020, Damien Miller wrote: > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > Does your configuration override CheckHostIP at all? No. > > > > What are the known_hosts entries for the hostname and IP? > > Also, do you use HashKnownHosts? or do you have any hashed host lines > in known_hosts? Yes I use HashKnownHosts yes Here are all the lines from my known_hosts.old that contains the public keys for this host. (the name is 'freedom' or freedom.herrb.net and IP adresses are 192.168.31.41 and 2a03:7220:8081:6101:6552:...

...|josh at freedesktop.org --- Comment #13 from Josh Triplett <josh at freedesktop.org> 2008-01-03 16:29:15 --- I encountered the same issue. I share my .ssh/config (along with many other dotfiles) between machines through version control. Among other things, my .ssh/config turns off HashKnownHosts to avoid breaking tab completion, and sets up ControlPath. (The default ssh config has HashKnownHosts turned off, but some distros or systems turn it on by default.) Unfortunately, some of the systems I want to share that config file with have an older ssh that does not support HashKnownHosts or...

On Sun, 4 Oct 2020, Matthieu Herrb wrote: > Hi, > > on OpenBSD-current I now get this when connecting to an existing > machine for which I have both ecdsa an ed25519 keys in my existing > known_hosts (but apparently ed25519 keys where added only for the name > previsously by ssh): > > Warning: the ED25519 host key for 'freedom' differs from the key for > the

Hi list members, just tried to get some old records out of my known_hosts, which is 'HashKnownHosts yes'. Is there a way to unhash host names and/or IPs? Google tells about, how to add hosts, but not the opposite, may be I miss some thing. Is this does not work at all, is there a best practice for cleaning old hosts and keys out? Thanks, Martin! -- Martin GnuPG Key Fingerprint, KeyID ...

Hello, I hope this isn't a stupid question, but after editing my sshd_config file to set HashKnownHosts to 'yes' after this feature was recently added it occured to me that many of those same hosts are listed in "Hosts" lines in my ssh_config file. (The servers I connect to use different ports and require different IdentityFiles, so I set the appropriate options for each server in...

Hey list, Not sure if something has been posted about it but I didn''t find any post after research, I''d like to define an entry in my /etc/ssh/ssh_know_hosts using sshkey resource. After a run it does insert an entry there, but the issue is that I have the HashKnownHosts flag set on my configuration file and that Puppet generate a plain unencrypted entry for the ssh_known_hosts file. So the first time I am trying to connect I still get the Unknown Host message I am trying to avoid. I''ve been through the sshkey provider code and I can''t see no...

http://bugzilla.mindrot.org/show_bug.cgi?id=910 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |foomzilla at fuhm.net ------- Additional Comments From djm at mindrot.org 2005-04-21 18:16 ------- *** Bug 454 has been marked as a

Hi Martin, Martin Drescher wrote on Thu, Oct 01, 2020 at 02:06:22PM +0200: > Can someone tell how this magic works? No, and this question is off-topic on this list because it is not related to OpenSSH. It is a question about your shell, and about how the configuration of your shell works, and you don't even provide information about how you have configured your shell. Yours, Ingo

...on a corner case I hadn't anticipated. > > > > Does your configuration override CheckHostIP at all? > > > > No. > > > > > > > > > > What are the known_hosts entries for the hostname and IP? > > > > > > Also, do you use HashKnownHosts? or do you have any hashed host lines > > > in known_hosts? > > > > Yes I use HashKnownHosts yes > > Thanks - I think that was the missing piece of the puzzle. Can you > please try this diff? It lets UpdateKnownHosts store entries for > the IP address as well as...

Hey all, I came across a security news article, referenced by http://www.linux.org/news, at http://www.techworld.com/security/news/index.cfm?NewsID=3668 talking about an SSH weakness involving the known_hosts file. I apologize if this issue has already been addressed, but the mailing list archives didn't turn up anything when i tried searching for something relevant. So; not to knee-jerk or

...when a key comes up as invalid, something like "Host key not found. Do you want to accept new key?" Of course, I'd also like the ability to sign old host keys just to make the trust model safer. I also think this should be an optional configuration option. Something like "HashKnownHosts yes" Test code.. #include <stdio.h> #include <string.h> #include <stdlib.h> #include <openssl/evp.h> #include <openssl/sha.h> int uuencode(u_char *src, u_int srclength, char *target, size_t targsize) { return b64_ntop(src, srclength, target, targs...

...ly hostname based entries are added to known_hosts file when learning new hostkeys. Shouldn't IP entries also be added? Consider the following scenario: User connects for the first time, specifying a HostKeyAlgorithms setting that is not first in the default list (rsa-sha2-256 in this case), HashKnownHosts=yes, and UpdateHostKeys=yes. Server sends key, it gets recorded in known_hosts both under the hostname and the IP. User authenticates and additional keys are learned and stored under only the hostname. A second connection is made with the default HostKeyAlgorithms value. A warning and prompt i...

...they get > rebuilt fairly frequently and thus, each time, get a new entry in > known_hosts. > > As a result I have to set 'PreferredAuthentications password' for some > systems because there are *loads* of redundant keys which cause login > to fail otherwise. > Set 'HashKnownHosts no' in /etc/ssh/ssh_config.? This is actually the default for OpenSSH, but many distro vendors set it to yes because "it's more secure, obvs". Connect to all the machines you need to and delete the lines which conflict (ssh will tell you the line number). When your known_host...

...iguration of the ssh session being invoked, but some commands might alter their behavior based on the ssh configuration. My proposal is for ssh to export its current configuration to the environment established for the invoked subcommand. So the child process could (for example) examine ${OpenSSH_hashknownhosts} to decide how to update a known_hosts file. This is similarly useful to sshd's -C and -T options (though the mechanism is different, of course) -- so aligned tools don't need to re-implement (or track) OpenSSH's config file parsing code. One way to approach this would be to allow so...

...C2 cloud machines and connects to them, one gets asked for confirmations as well known_hosts get bloated with useless records. Could you implement a simple option to ignore known_host checks and also not record fingerprints in known_hosts? Currently my workaround is like: Host *.amazonaws.com HashKnownHosts no CheckHostIP no StrictHostKeyChecking no UserKnownHostsFile /tmp/somefile -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.

...-06-23 11:05:11.000000000 +0100 @@ -106,7 +106,7 @@ typedef enum { oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, oDeprecated, oUnsupported } OpCodes; @@ -197,6 +197,7 @@ static struct { { "sendenv", oSendEnv }, { "controlpath", oControlPath }, { "controlmaster", oControlMaster }, + { "co...

...ing configruation, and reproduced on it. Following is the experiment i did on my Ubuntu Linux box. In Terminal 1: root at sway-desktop:~# uname -aLinux sway-desktop 2.6.22-14-generic #1 SMP Sun Oct 14 23:05:12 GMT 2007 i686 GNU/Linux root at sway-desktop:~# cat /ssh_config Protocol 2 HashKnownHosts yes ServerAliveInterval 5 ServerAliveCountMax 1 #This tells the ssh to close the connection after 5*1 = 5 seconds if no data has been received from the server. root at sway-desktop:~# ps -ef|grep sshdroot 5415 1 0 14:21 ? 00:00:00 /home/sway/openssh-5.0p1/sshd -p 55...