Bug 2145

Summary: ssh-keygen -R doesn't work when there are entries for "proxycommand" keys
Product: Portable OpenSSH Reporter: Hugh Davenport <hugh>
Component: ssh-keygenAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: trivial CC: djm, mindrot.org
Priority: P5    
Version: 6.2p1   
Hardware: Other   
OS: Linux   

Description Hugh Davenport 2013-08-29 06:29:31 AEST 
I can't seem to reproduce the same style entry, but below is snippets that should show what is wrong.

Basically the gist is that example.com is in known hosts, and is a hop point for a proxycommand for foo.example.com which has a explicit hostname of an ip address. I tried to recreate it, but my current version of ssh automatically puts the hashed host entry, not the ip,<no hostip...> entry. They probably came from an earlier version of ssh.

$ ssh-keygen -f "/home/hdavenport/.ssh/known_hosts" -R example.com
# Host example.com found: line 1 type RSA
line 2 invalid key: 192.168.x.x,<no...
/home/hdavenport/.ssh/known_hosts is not a valid known_hosts file.
Not replacing existing known_hosts file because of errors
$ cat /home/hdavenport/.ssh/known_hosts
|1|hosthash ssh-rsa keyhash
192.168.x.x,<no hostip for proxy command> ssh-rsa keyhash
$ cat /home/hdavenport/.ssh/config
host foo.example.com
  proxycommand ssh -q example.com nc -q0 %h %p
  hostname 192.168.x.x
Comment 1 mindrot.org 2015-02-12 06:57:41 AEDT 
The invalid known_hosts entries are created by older versions of the Ruby library net-ssh: https://rubygems.org/gems/net-ssh

The bug is fixed in version 2.9.2 of net-ssh.
Comment 2 Damien Miller 2015-02-12 19:36:24 AEDT 
This is working as intended: if the known_hosts file is messed up then ssh-keygen -R bails out instead of blundering ahead and destroying it further.

We've fixed the bug in ssh that put the "<no hostip for proxy command>" entries in known_hosts to begin with a while back IIRC.
Comment 3 Damien Miller 2015-08-11 23:05:41 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1