On Sun, 4 Oct 2020, Matthieu Herrb wrote: > Hi, > > on OpenBSD-current I now get this when connecting to an existing > machine for which I have both ecdsa an ed25519 keys in my existing > known_hosts (but apparently ed25519 keys where added only for the name > previsously by ssh): > > Warning: the ED25519 host key for 'freedom' differs from the key for > the IP address '2a03:7220:8081:6101:6552:9ca8:512b:9251' > Offending key for IP in /home/matthieu/.ssh/known_hosts:53 > Matching host key in /home/matthieu/.ssh/known_hosts:131 > Are you sure you want to continue connecting (yes/no)? > > line 53 is the ecdsa key for the given address, 131 is the ed25519 key > for the name. None of the name or the IP address for freedom changed > (and the behaviour is the same with IPv4) > > If I answer 'yes' the known_hosts file is not updated. I have to > remove the ecdsa key manually to have the ed25519 key for the IP > address added automatically. > > ie : > > % ssh-keygen -R '2a03:7220:8081:6101:6552:9ca8:512b:9251' > # Host 2a03:7220:8081:6101:6552:9ca8:512b:9251 found: line 53 > /home/matthieu/.ssh/known_hosts updated. > Original contents retained as /home/matthieu/.ssh/known_hosts.old > % ssh freedom > Warning: Permanently added the ED25519 host key for IP address > '2a03:7220:8081:6101:6552:9ca8:512b:9251' to the list of known hosts. > > > I find this quite disturbing (and it breaks some non interactive > scripts). Is it the intended behaviour ? No - I think you've stumbled on a corner case I hadn't anticipated. Does your configuration override CheckHostIP at all? What are the known_hosts entries for the hostname and IP? Thanks, Damien _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
