similar to: Ldap and host keys

Hello. I am running OpenSSH 7.9p1 on my client and server. ssh-keyscan shows the server has ssh-rsa, ssh-ed25519, and ecdsa-sha2-nistp256 host keys. My /etc/ssh/ssh_known_hosts file contains the server's ssh-ed25519 host key. When I try to SSH to the server I get this error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

Steps to reproduce: 1. Run a SSH server with default configuration and point a domain to it. 2. Add SSHFP record to the domain, but only for Ed25519 key. 3. Attempt to connect with VerifyHostKeyDNS set to yes, but the rest of settings set to defaults. 4. OpenSSH defaults to ECDSA instead of Ed25519 and refuses connection because there is no ECDSA fingerprint in SSHFP records. A stopgap solution

I've got a problem that I'm hoping the list can help with, otherwise ... Heres the problem, I've got OpenSSH 1.2.2p1 running on my Intel Linux box as the secure server. I can connect from another Intel Linux box using scp and it all seems to work fine. Another box tries to connect and it gets a warning about the host keysize not matching. I'm thinking this could be some byte

Well, SSHFP is supposed to only be used on DNSSEC-enabled domains. On Sat, Feb 23, 2019 at 9:59 PM Peter Stuge <peter at stuge.se> wrote: > > Yegor Ievlev wrote: > > It would make more sense to treat SSHFP records in the same way as > > known_hosts > > I disagree with that - known_hosts is nominally a client-local configuration. > > I think it's a very bad

On 17/06/20, Damien Miller (djm at mindrot.org) wrote: > > Firstly, given a host CA signing key on the sshagentca server, would an > > appropriately constructed host certificate added to a forwarded agent > > replace the necessity for a '@cert-authority' line in a user's known_hosts > > file? > > I'm not sure I want to add yet another path (the agent)

http://bugzilla.mindrot.org/show_bug.cgi?id=747 Summary: host authentication requires RSA1 keys Product: Portable OpenSSH Version: 3.7.1p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: openssh-bugs at mindrot.org ReportedBy:

Well, known_hosts isn't exactly trusted input, since it's usually composed of the keys you first encounter, without any additional checking, as opposed to (hopefully) correctly signed SSHFP records. On Sat, Feb 23, 2019 at 10:22 PM Peter Stuge <peter at stuge.se> wrote: > > Yegor Ievlev wrote: > > > I think it's a very bad idea to have the client start treating

On Fri, Aug 28, 2015 at 8:48 AM, Bostjan Skufca <bostjan at a2o.si> wrote: > On 27 August 2015 at 05:01, Damien Miller <djm at mindrot.org> wrote: >> Yeah, it's unfortunately quite difficult to implement address matching >> in ~/.ssh/config because of the interplay of Host matching, Hostname >> directives, hostname canonicalisation*, proxy commands, hosts

Here you go: OpenSSH_7.9p1, OpenSSL 1.1.1d 10 Sep 2019 debug1: Reading configuration data /home/ryantm/.ssh/config debug1: /home/ryantm/.ssh/config line 4: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 13: Applying options for * debug2: resolving "{REDACTED}" port 22 debug2: ssh_connect_direct debug1: Connecting to

Hi, and here's the next feature request, which sounds interesting. Also I think I won't need much extra code to add this feature. So what do you guys think? > `ssh' with its host key checking is incompatible with the use of > `redir' to map different ports on a gateway/firewall system to > different systems behind the firewall. > For instance, I redirect ports as

I''m in the process of automating the build of Oracle RAC nodes running on Linux but there''s one part I can''t quite get my head around. Oracle RAC requires that the oracle user on each node has an authorized_keys file containing the public keys of the oracle user on every other node. It also requires that the known_hosts file contains host keys for all other nodes to

As of version 3.0.2p1 and perhaps earlier localhost forwarded connections are checked in known_hosts. The difficulty is that if you have multiple forwards, only one of them will exist as a valid host key for localhost. All the others will be treated as a "Changed" key prompting reduced functionality including disallowing agent-forwarding. Depending on StrictHostKeyChecking being set,

https://bugzilla.mindrot.org/show_bug.cgi?id=2145 Bug ID: 2145 Summary: ssh-keygen -R doesn't work when there are entries for "proxycommand" keys Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: trivial Priority: P5

https://bugzilla.mindrot.org/show_bug.cgi?id=3627 Bug ID: 3627 Summary: openssh 9.4p1 does not see RSA keys in know_hosts file. Product: Portable OpenSSH Version: 9.4p1 Hardware: SPARC OS: Solaris Status: NEW Severity: major Priority: P5 Component: ssh

I'm working on a small server written in Go to add short-lived user certificates to the forwarded agents of authorized users. https://github.com/rorycl/sshagentca This seems to work quite well for accessing sshd servers with the appropriately configured "TrustedUserCAKeys" directive. I have been in a debate about how similarly adding host certificates to forwarded agents could

If I want to specify for LAN addresses that I don't want to deal with host keys, how do I do that? Understanding the risks, knowing almost everyone will say not to do this - it's a horrible idea, but deciding I want to do it anyway. Tired of having to remove entries from known_hosts with the multiple VM's I have that often change fingerprints, and am willing to live with the risks.

Hi, I submitted a patch back in November of 2009 to add local validation of DNSSEC record to openssh. I recent updated the patch for 5.8, and figured I do a little marketing while I'm at it. :-) Someone had previously submitted a patch which simply trusted the AD bit in the response, which is susceptible to spoofing by anyone who can inject packets between the resolver and the client. Our

I reported a bug recently to the debian bug tracking system but I just checked this mailing list and it seems it was already mentioned here. However the thread seemed to have died. This is worrisome because it's rather a severe security vulnerability. OpenSSH seems to have changed behaviour to canonicalize host names _before_ looking up keys in known_hosts. This is BAD. AWFUL. TERRIBLE. This

This question should be asked before, but I fail to find the discussion. What options can be used for storing host/users pubkeys in a publically available places? I know openssh currently provide option except if /etc/ssh_known_hosts and ~/.ssh/known_hosts. But what about many machines? Think of e.g. pgp keyservers. Note that pgp keyservers isn't a good solution *always*. The best one

On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: > > On 24.02.23 12:58, Keine Eile wrote: > > does any one of you have a best practice on renewing ssh host keys on > > cloned machines? > > I have a customer who never thought about that, while cloning all VMs > > from one template. Now all machines have the exact same host key. >