bug or feature with ssh-keygen and user CAs?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I have confirmed this behavior from OpenSSH 6.6 in OS X (from MacPorts) and 6.6 in Ubuntu.  I have set up a SSH Certificate authority, and as such I put in the following line at the top of my known_hosts file

@cert-authority *.mydomain.com ssh-rsa <public key>

Below this are all my hashed entries for various other hosts that I’ve contacted over the years.  

Every once in a while I’ll rebuild a box in my environment, and the ssh key will change.  To clean up my known_hosts file to allow me to re-insert the new entry, I will do ssh-keygen -R <ip>.  This has the unintended consequence of matching on the offending entry in the known_hosts file *and* my cert-authority entry:

$ ssh-keygen -R 10.50.3.149
# Host 10.50.3.149 found: line 1 type RSA
# Host 10.50.3.149 found: line 512 type ECDSA
/Users/mlindgren/.ssh/known_hosts updated.
Original contents retained as /Users/mlindgren/.ssh/known_hosts.old


Am I missing something fundamental here?

Thanks,

Mattias
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux