Bug 2241

Summary:

ssh-keygen -R removes matching key as well as @cert-authority

Product:

Portable OpenSSH

Reporter:

runelind <mlindgren>

Component:

ssh-keygen

Assignee:

Damien Miller <djm>

Status:

CLOSED FIXED

Severity:

minor

CC:

djm

Priority:

Version:

6.6p1

Hardware:

amd64

OS:

Mac OS X

Bug Depends on:

Bug Blocks:

2226

Attachments:

Description	Flags
preserve markers when hashing/removing known_hosts	none

Description runelind 2014-05-08 23:13:19 AEST

I have confirmed this behavior from OpenSSH 6.6 in OS X (from MacPorts) and 6.6 in Ubuntu.  I have set up a SSH Certificate authority, and as such I put in the following line at the top of my known_hosts file

@cert-authority *.mydomain.com ssh-rsa <public key>

Below this are all my hashed entries for various other hosts that I've contacted over the years.  


If I do ssh-keygen -R <ip> it has the unintended consequence of matching on the offending entry in the known_hosts file *and* my cert-authority entry:

$ ssh-keygen -R 10.50.3.149
# Host 10.50.3.149 found: line 1 type RSA <--This is my cert-authority
# Host 10.50.3.149 found: line 512 type ECDSA
/Users/mlindgren/.ssh/known_hosts updated.
Original contents retained as /Users/mlindgren/.ssh/known_hosts.old

Comment 1 Damien Miller 2014-07-03 12:55:49 AEST

Created attachment 2447 [details]
preserve markers when hashing/removing known_hosts

Yes, it also barfs on @revoked keys.

This patch should fix it, but the code is a tangled mess and should be more broadly refactored.

Comment 2 Damien Miller 2014-07-03 13:47:42 AEST

patch applied - this will be in openssh-6.7. Thanks!

Comment 3 Damien Miller 2014-10-08 08:00:36 AEDT

Close all bugs left open from 6.6 and 6.7 releases.