Hostnames and domains are case-insensitive, but ssh-keygen -R is not honoring this. With openssh-7.2p2 Cygwin/Windows 7 (I've also seen the same behavior on RHEL/CentOS with 5.3p1 and 6.6.1p1): % grep -i myhost ~/.ssh/known_hosts # to show myhost is not there yet % ssh gmiller@xxxxxxxxxxxxxxxxx date # this will put myhost there if I say "yes", which I will do. Note mixed case. The authenticity of host 'myhost.domain.com (1.2.3.4)' can't be established. RSA key fingerprint is SHA256:kr1BeHAQgtdws3gB1NPpKtVDm9OPJ8Gg1loyiDC1z8Y. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'myhost.domain.com,1.2.3.4' (RSA) to the list of known hosts. Fri Apr 15 15:19:54 EDT 2016 % grep -i myhost ~/.ssh/known_hosts # to show that myhost is now in known_hosts - note it has been smashed to lowercase, which is okay. myhost.domain.com,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwBsMvQ0wMfDKDXJT092F3NWjv840AHpzP0MWR+vAK1t+Uu5fjh2Jh93GFtwUH6BHCKntA7ZRTryk8xFGxlXy1NEmBzMkzNEDzWtVKBSTwnyxUZHs81r6DWBmJbsqny+lxYcUIUWMvjHis8ms6fT9G5rfde0hoLQzUSCN+L3cE1k= % ssh-keygen -R Myhost.domain.com # now try to remove it. Case should not matter here. Host Myhost.domain.com not found in /home/millerig/.ssh/known_hosts % grep -i myhost ~/.ssh/known_hosts # ...but it does. Show that it is still there. myhost.domain.com,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwBsMvQ0wMfDKDXJT092F3NWjv840AHpzP0MWR+vAK1t+Uu5fjh2Jh93GFtwUH6BHCKntA7ZRTryk8xFGxlXy1NEmBzMkzNEDzWtVKBSTwnyxUZHs81r6DWBmJbsqny+lxYcUIUWMvjHis8ms6fT9G5rfde0hoLQzUSCN+L3cE1k= % ssh-keygen -R myhost.domain.com # this time it will work because we made sure to use lower case. # Host myhost.domain.com found: line 14 /home/millerig/.ssh/known_hosts updated. Original contents retained as /home/millerig/.ssh/known_hosts.old % grep -i myhost ~/.ssh/known_hosts # show that it's gone % Seems like ssh-keygen -R is performing a case-sensitive string compare on the provided hostname and the hostnames in the known_hosts file. It should be a case-insensitive compare. I can fix my scripts so that I convert to lowercase before calling ssh-keygen -R, but it would be nice if this could be fixed so that others don't get caught by surprise. P.S. The same issue exists for the domain portion of the fully-qualified hostname. P.P.S Here is a patch I whipped up. I hope it might be useful. ------------------------------------------------------- % diff match.c ~/osrc/openssh-7.2p2/match.c 121a122 > char *low_string = 0; 124c125 < u_int i, subi, len = strlen(pattern); --- > u_int i, j, subi, len = strlen(pattern); 156,159c157,165 < if (match_pattern(string, sub)) { < if (negated) < return -1; /* Negative */ < else --- > if (low_string) free(low_string); > low_string = malloc(strlen(string) + 1); > for (j = 0; j < strlen(string); ++j) low_string[j] = tolower(string[j]); > low_string[j] = 0; > if (match_pattern((dolower ? low_string : string), sub)) { > if (negated) { > got_positive = -1; /* Negative */ > break; > } else 165,166c171,172 < * Return success if got a positive match. If there was a negative < * match, we have already returned -1 and never get here. --- > * Return success if there was a positive match; > * return -1 if there was a negative match. 167a174 > if (low_string) free(low_string); ------------------------------------------------------- Griff _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev