https://bugzilla.mindrot.org/show_bug.cgi?id=3501
Bug ID: 3501
Summary: When checking key for IP address, key type is ignored
in comparison
Product: Portable OpenSSH
Version: 9.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: bugzilla.mindrot.org@pobox.madduck.net
I used ssh-keyscan to add all 3 keys of a remote host to my known_hosts
file, like so (lines 1–3):
somehost.example.org,192.0.2.167,2001:db8::192.0.2.167
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBExREWxSdCmgdG0WUoziitLWMg5QdR3bNpS5i2ckTWX1VAX24vKggTJdXHU5pQDNIn1OsjMx2ez0TugcPsUIGG0=
somehost.example.org,192.0.2.167,2001:db8::192.0.2.167 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAINExMfqczBvNAubVtOdimLP2UwrNwvx5nQstjW8VNs3x
somehost.example.org,192.0.2.167,2001:db8::192.0.2.167 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDD8joOCwmwpyLF+OEiD/UPW4dLYxjgH6ogNKWeqGnkWf2+DaqqZe9acay/Mka6x3c9GCMalC3v2KU6NgnuDAQaEVClDlAaxRMX3n5TY+7EYPV/+z2L/9q4xsJgqdYd2vpB9d7IC5iBmOvPI5FWg74423t1X/jXsLmNOQahznrQTfqDTBzSMbXfsOIVrahz5u4vnK6ZjpTFPLVCm+6BSHTzycEM9LWTD6t7X57GR+96bCAQsmuSHL8amV0V/cWhNH0vhjBp7DSOfHOUukmDdPZ/62dcCg6zHpKjDErp2Q8HJwK4vOkD/YQFzadgiTHVZed732b+EB1bS2MOWuapBx6R
Because of https://bugzilla.mindrot.org/show_bug.cgi?id=3500, when I
connect to the remote host, SSH adds a line for the alternate IPv6
address to known_hosts (this is on line 101):
2001:db8::c000:02a7 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAINExMfqczBvNAubVtOdimLP2UwrNwvx5nQstjW8VNs3x
Now, if for whatever reason, SSH tries to verify the host using the
ECDSA key, it will fail to connect:
Warning: the ECDSA host key for 'somehost.example.org' differs from the
key for the IP address '2001:db8::c000:02a7'
Offending key for IP in /var/lib/backuppc/.ssh/known_hosts:101
Matching host key in /var/lib/backuppc/.ssh/known_hosts:1
Exiting, you have requested strict checking.
Host key verification failed.
But it's comparing an ECDSA key used for the verification of the
current session to an ED25519 key fingerprint stored in line 101, and
that doesn't seem right.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3501
Summary: When checking key for IP address, key type is ignored
in comparison
Product: Portable OpenSSH
Version: 9.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: bugzilla.mindrot.org@pobox.madduck.net
I used ssh-keyscan to add all 3 keys of a remote host to my known_hosts
file, like so (lines 1–3):
somehost.example.org,192.0.2.167,2001:db8::192.0.2.167
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBExREWxSdCmgdG0WUoziitLWMg5QdR3bNpS5i2ckTWX1VAX24vKggTJdXHU5pQDNIn1OsjMx2ez0TugcPsUIGG0=
somehost.example.org,192.0.2.167,2001:db8::192.0.2.167 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAINExMfqczBvNAubVtOdimLP2UwrNwvx5nQstjW8VNs3x
somehost.example.org,192.0.2.167,2001:db8::192.0.2.167 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDD8joOCwmwpyLF+OEiD/UPW4dLYxjgH6ogNKWeqGnkWf2+DaqqZe9acay/Mka6x3c9GCMalC3v2KU6NgnuDAQaEVClDlAaxRMX3n5TY+7EYPV/+z2L/9q4xsJgqdYd2vpB9d7IC5iBmOvPI5FWg74423t1X/jXsLmNOQahznrQTfqDTBzSMbXfsOIVrahz5u4vnK6ZjpTFPLVCm+6BSHTzycEM9LWTD6t7X57GR+96bCAQsmuSHL8amV0V/cWhNH0vhjBp7DSOfHOUukmDdPZ/62dcCg6zHpKjDErp2Q8HJwK4vOkD/YQFzadgiTHVZed732b+EB1bS2MOWuapBx6R
Because of https://bugzilla.mindrot.org/show_bug.cgi?id=3500, when I
connect to the remote host, SSH adds a line for the alternate IPv6
address to known_hosts (this is on line 101):
2001:db8::c000:02a7 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAINExMfqczBvNAubVtOdimLP2UwrNwvx5nQstjW8VNs3x
Now, if for whatever reason, SSH tries to verify the host using the
ECDSA key, it will fail to connect:
Warning: the ECDSA host key for 'somehost.example.org' differs from the
key for the IP address '2001:db8::c000:02a7'
Offending key for IP in /var/lib/backuppc/.ssh/known_hosts:101
Matching host key in /var/lib/backuppc/.ssh/known_hosts:1
Exiting, you have requested strict checking.
Host key verification failed.
But it's comparing an ECDSA key used for the verification of the
current session to an ED25519 key fingerprint stored in line 101, and
that doesn't seem right.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs