On Wed, 5 Feb 2020, Phil Pennock wrote: > On 2020-02-06 at 10:29 +1100, Damien Miller wrote: > > * sshd(8): allow the UpdateHostKeys feature to function when > > multiple known_hosts files are in use. When updating host keys, > > ssh will now search subsequent known_hosts files, but will add > > updated host keys to the first specified file only. bz2738 > > In testing this, when the impact is to _remove_ a known_hosts entry then > all the existing entries are deleted from the subsequent files, and the > remaining entries are added to the first file. > > I initially assumed, on reading the email, that the logic was to not > assume that subsequent files are writable, but it seems that's not it. > > Is this just a corner case that wasn't considered? No, that's pretty much the intended behaviour. Tracking which entries go where and trying to match it while making updates is just too fiddly. I hope to automatically enable UpdateHostKeys in a future release when the user is using the default UserKnownHostsFiles, so if people are using something custom then they can choose themselves whether the above behaviour is something they can live with. The previous behaviour was quite broken: AFAIK it wouldn't even search beyond the first known_hosts file when looking for keys. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
