Re: Re: SSH host key rotation – known_hosts file not updated

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2024-10-14 14:48, Damien Miller wrote:

> On Sun, 13 Oct 2024, Jan Eden via openssh-unix-dev wrote:
> > When I connect to serverA (`ssh -v -o UpdateHostKeys=yes serverA`)
> > afterwards, known_hosts on the client is not updated. The output of the
> > ssh command contains this:
> > 
> > debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key.
> > # ...
> > debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts for [serverA.domain.internal]:22 / (none)
> > debug1: client_input_hostkeys: searching /Users/snafu/.ssh/known_hosts2 for [serverA.domain.internal]:22 / (none)
> > debug1: client_input_hostkeys: hostkeys file /Users/snafu/.ssh/known_hosts2 does not exist
> > debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update

> One weird thing is this:
> 
> > debug1: Host '[serverA.domain.internal]:22' is known and matches the ED25519 host key.
> 
> ssh doesn't usually decorate the hostname with port numbers like this for
> the default port 22. Did you redact the output?

Yes, I redacted hostname and port – sorry, should have mentioned that.

> Anyway, in answer to your question. The "host key found matching a different
> name/address" is triggered when a key received from the server in an update
> already exists under a different name. If you turn the debugging level up,
> then you'll see the name(s) that it matches too:
> 
>   2100          if (sshkey_equal(l->key, ctx->keys[i])) {
>   2101                  ctx->other_name_seen = 1;
>   2102                  debug3_f("found %s key under different "
>   2103                      "name/addr at %s:%ld",
>   2104                      sshkey_ssh_name(ctx->keys[i]),
>   2105                      l->path, l->linenum);
>   2106                  return 0;
>   2107          }
>   2108  }

Thank you! Increasing the verbosity revealed a known_hosts entry linked
to serverA's IP address (I had forgotten that I had connected to it by
IP address at some point). Deleting this entry solved the problem; the
new host key was stored in known_hosts when I connected to serverA
again.

- Jan

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux