https://bugzilla.mindrot.org/show_bug.cgi?id=3176
Bug ID: 3176
Summary: can't figure out how to test StrictHostKeyChecking
accept-new
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: frederik-openssh@ofb.net
I like the idea of the "StrictHostKeyChecking accept-new" option but
when I tried to check that it works correctly, I got confused. How do I
pretend that the host key has changed? I thought it would be enough to
change the corresponding key in .ssh/known_hosts, but this just causes
a new entry to be added with the same HostKeyAlias:
# first I deleted the key from .ssh/known_hosts
$ grep TH1LmIM .ssh/known_hosts
[1]$ ssh -F /dev/null -o "StrictHostKeyChecking accept-new" -o
HostKeyAlias=foo ofb.net echo hi
Warning: Permanently added 'foo,104.197.242.163' (ECDSA) to the
list of known hosts.
hi
$ tail -n 1 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmIM=
$ sed -i 's/TH1LmIM/TH1LmKM/g' .ssh/known_hosts # simulate changed
host key?
$ tail -n 1 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmKM=
$ ssh -F /dev/null -o "StrictHostKeyChecking accept-new" -o
HostKeyAlias=foo ofb.net echo hi
Warning: Permanently added 'foo,104.197.242.163' (ECDSA) to the
list of known hosts.
hi
$ tail -n 2 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmKM=
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmIM=
So at the end I have two entries for "foo", with different host keys
(one ends with "mKM=", the other ends with "mIM="). And OpenSSH seems
to be happy with that. What am I missing?
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3176
Summary: can't figure out how to test StrictHostKeyChecking
accept-new
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: frederik-openssh@ofb.net
I like the idea of the "StrictHostKeyChecking accept-new" option but
when I tried to check that it works correctly, I got confused. How do I
pretend that the host key has changed? I thought it would be enough to
change the corresponding key in .ssh/known_hosts, but this just causes
a new entry to be added with the same HostKeyAlias:
# first I deleted the key from .ssh/known_hosts
$ grep TH1LmIM .ssh/known_hosts
[1]$ ssh -F /dev/null -o "StrictHostKeyChecking accept-new" -o
HostKeyAlias=foo ofb.net echo hi
Warning: Permanently added 'foo,104.197.242.163' (ECDSA) to the
list of known hosts.
hi
$ tail -n 1 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmIM=
$ sed -i 's/TH1LmIM/TH1LmKM/g' .ssh/known_hosts # simulate changed
host key?
$ tail -n 1 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmKM=
$ ssh -F /dev/null -o "StrictHostKeyChecking accept-new" -o
HostKeyAlias=foo ofb.net echo hi
Warning: Permanently added 'foo,104.197.242.163' (ECDSA) to the
list of known hosts.
hi
$ tail -n 2 .ssh/known_hosts
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmKM=
foo,104.197.242.163 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFypentn5bIw2j25x5/86JRkX87kpGvhUlySBGhY/HGdM/vG3iuItrcYjxbwxNSc8X74a+WQ1qSEjAlsTH1LmIM=
So at the end I have two entries for "foo", with different host keys
(one ends with "mKM=", the other ends with "mIM="). And OpenSSH seems
to be happy with that. What am I missing?
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs