Bug 2894

Summary: Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
Product: Portable OpenSSH Reporter: db+mindrot
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: cjwatson, djm, jjelen
Priority: P5    
Version: 7.7p1   
Hardware: Other   
OS: Other   
Bug Depends on: 2738    
Bug Blocks: 3302    

Description db+mindrot 2018-08-11 22:08:05 AEST 
Set UpdateHostKeys for interactive invocations of ssh client to 'ask' by default. 


( Related this request, I notice that Fabric, http://docs.fabfile.org/en/1.14/usage/ssh.html, defaults to loading and using the known_hosts file **but** reject_unknown_hosts defaults to false (so hosts that have never "been seen" are allowed) this combined with Fabric seemingly preferring an rsa host key while I had an ecdsa host key  for $host would have allowed MITM attacks. )
Comment 1 Colin Watson 2019-01-11 22:35:54 AEDT 
I ran into this recently when trying to work out how we might do host key rotation on a large SSH server.  This is a code hosting site to which you can push code over SSH, usable by anyone who's given us a public key rather than limited to a single organisation, so we can't mandate any particular client setup and the host key certificate mechanisms don't really work all that well for us either.

Life would be a lot easier in this kind of environment if UpdateHostKeys were on in some way by default.  (We'd actually probably need it to have been on by default for a few years, and something similar to be in some other popular clients too, but you have to start somewhere.)
Comment 2 Colin Watson 2019-01-11 22:38:16 AEDT 
(Sorry, I submitted the last comment by accident before I'd finished writing it ...)

Is there an explanation somewhere for why UpdateHostKeys is off?  The best I could find was a git commit from 2015 saying "turn UpdateHostkeys off by default until I figure out mlarkin@'s warning message".  And I wonder if https://bugzilla.mindrot.org/show_bug.cgi?id=2631 would also need to be fixed in order to use this in practice?
Comment 3 Damien Miller 2019-01-23 11:37:41 AEDT 
IIRC there might be some corner cases wrt multiple keys files. It was a bit fiddly IIRC
Comment 4 Damien Miller 2020-01-25 11:24:19 AEDT 
Committed; will be in openssh-8.2
Comment 5 Damien Miller 2020-02-04 11:00:49 AEDT 
I've had to revert this change.

It doesn't play well with certificate host keys and I'm unsure of the interaction with @revoked lines in known_hosts.

Both these need to be fixed before it gets enabled again. I plan to do this early in the 8.3 release cycle to give it as long as possible to bake.
Comment 6 Damien Miller 2020-02-04 11:44:22 AEDT 
Prepare for 8.2 release; retarget bugs
Comment 7 Damien Miller 2020-05-08 13:39:23 AEST 
Retarget bugs to 8.4 release
Comment 8 Damien Miller 2021-03-04 09:47:02 AEDT 
retarget to 8.6
Comment 9 Jakub Jelen 2021-03-05 21:46:33 AEDT 
AFAIK this was addressed in OpenSSH 8.5p1

https://www.openssh.com/txt/release-8.5
Comment 10 Damien Miller 2021-04-23 14:50:15 AEST 
retarget after 8.6p1 release
Comment 11 Damien Miller 2021-07-02 14:02:01 AEST 
The last release enabled UpdateHostkeys by default under most circumstances
Comment 12 Damien Miller 2022-02-25 13:59:39 AEDT 
closing bugs resolved before openssh-8.9