I have a machine (OpenBSD -current) with the following known_hosts entries from various old connections: v4_address ecdsa-sha2-nistp256 v6_address ecdsa-sha2-nistp256 (line 1515) hostname ecdsa-sha2-nistp256 hostname,v4_address ssh-rsa hostname,v4_address ssh-ed25519 (line 1222) I've changed my resolver to hand out v6 addresses before v4 addresses (I have done this before - given the above entries it looks like it was at a time before ssh-ed25519 keys - then reverted it after an ISP problem at some point). Now I get hostkey warnings. It's easy enough to cope with the change manually of course, but I wonder if the automated behaviour could be improved. | $ ssh -vvvF none some.host.name | ... | debug3: record_hostkey: found key type ECDSA in file /home/sthen/.ssh/known_hosts:1220 | debug3: record_hostkey: found key type RSA in file /home/sthen/.ssh/known_hosts:1221 | debug3: record_hostkey: found key type ED25519 in file /home/sthen/.ssh/known_hosts:1222 | debug3: load_hostkeys: loaded 3 keys from some.host.name | debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@xxxxxxxxxxx, using HostkeyAlgorithms verbatim | ... | debug1: Server host key: ssh-ed25519 SHA256:xxx | debug3: hostkeys_foreach: reading file "/home/sthen/.ssh/known_hosts" | debug3: record_hostkey: found key type ECDSA in file /home/sthen/.ssh/known_hosts:1220 | debug3: record_hostkey: found key type RSA in file /home/sthen/.ssh/known_hosts:1221 | debug3: record_hostkey: found key type ED25519 in file /home/sthen/.ssh/known_hosts:1222 | debug3: load_hostkeys: loaded 3 keys from some.host.name | debug3: hostkeys_foreach: reading file "/home/sthen/.ssh/known_hosts" | debug3: record_hostkey: found key type ECDSA in file /home/sthen/.ssh/known_hosts:1515 | debug3: load_hostkeys: loaded 1 keys from xxxx:xxxx:x:xxx::x | debug1: Host 'some.host.name' is known and matches the ED25519 host key. | debug1: Found key in /home/sthen/.ssh/known_hosts:1222 | Warning: the ED25519 host key for 'some.host.name' differs from the key for the IP address 'xxxx:xxxx:x:xxx::x' | Offending key for IP in /home/sthen/.ssh/known_hosts:1515 | Matching host key in /home/sthen/.ssh/known_hosts:1222 | Are you sure you want to continue connecting (yes/no)? ^C Should order_hostkeyalgs consider the address family and actually prefer ecdsa-sha2-nistp256 in this case even though it has a better algorithm for the host *name*? Should this warning be skipped if the algorithm differs? (At least in the case where UpdateHostKeys is used?) _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
