Bug 2479

Summary:

ssh-keyscan non-standard port broken

Product:

Portable OpenSSH

Reporter:

micah

Component:

ssh-keyscan

Assignee:

Damien Miller <djm>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm, dtucker

Priority:

Version:

6.9p1

Hardware:

amd64

OS:

Linux

Bug Depends on:

Bug Blocks:

2451

Attachments:

Description	Flags
expand each host name/address individually	dtucker: ok+

Description micah 2015-10-13 08:16:31 AEDT

If one passes the -p option for a non-standard port to ssh-keyscan when
using the -f option to pull hosts from a file, it results in a
known_hosts entry that is incorrect:

micah@muck$ cat /tmp/try 
199.254.238.47 micah.riseup.net,199.254.238.47

micah@muck$ ssh-keyscan -t rsa -p 4422 -f /tmp/try > /tmp/known

micah@muck$ cat /tmp/known
[micah.riseup.net,199.254.238.47]:4422 ssh-rsa DATA

It seems like putting a list of hostnames,ips inside of the [] doesn't
work:

micah@muck:dotfiles$ ssh -oUserKnownHostsFile=/tmp/known micah@micah.riseup.net -p 4422
The authenticity of host '[micah.riseup.net]:4422 ([199.254.238.47]:4422)' can't be established.
RSA key fingerprint is SHA256:CbHIxWJjFKJk5V+G09XeiABqIRTooC646ZfSl7FRp2w.
Are you sure you want to continue connecting (yes/no)?

It should be constructed like this:

[micah.riseup.net]:4422,[199.254.238.47]:4422 ssh-rsa DATA

Comment 1 Damien Miller 2015-10-23 13:36:13 AEDT

Created attachment 2735 [details]
expand each host name/address individually

I think ssh-keyscan should expand the host list when the port number is non-default or host hashing is in use. 

The attached diff tries to do this:

# 203.217.30.81:22 SSH-2.0-OpenSSH_7.1
fuyu.mindrot.org,203.217.30.81 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==

[djm@demiurge openssh]$ ./ssh-keyscan -t rsa -p 2222 -f /tmp/x1 
# 203.217.30.81:2222 SSH-2.0-OpenSSH_7.1
[fuyu.mindrot.org]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==
[203.217.30.81]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==

[djm@demiurge openssh]$ ./ssh-keyscan -t rsa -H -f /tmp/x1 
# 203.217.30.81:22 SSH-2.0-OpenSSH_7.1
|1|ym8qXXurgjs0t6rZpJ9SkFLjnJU=|cIa7BLNfWuInKIvRxiHQtIkl6wA= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==
|1|lxsMXgGpGeMPNR+9jLVBz9c26es=|LaJR3u29ThoOaekgMCVPTrQhVhU= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==


# 203.217.30.81:2222 SSH-2.0-OpenSSH_7.1
[|1|SOCfZlLsozka+6Ib4TiIFPlBSVs=|xie/tboEBMz8az3tkmZ5Zmd0LdY=]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==
[|1|WQ2HkjmJ9aS4cAswWlMu0b3Grrk=|TeVMzH5/XW1sVttL0652gM5rr2c=]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==

Comment 2 Darren Tucker 2015-10-23 14:03:49 AEDT

Comment on attachment 2735 [details]
expand each host name/address individually

>+	if (!key)

style(9) says this should be tested against NULL since it's not a boolean.

>+		return;
>+	if (!hash_hosts

Ditto.

otherwise ok.

Comment 3 Damien Miller 2015-10-25 09:56:52 AEDT

Patch applied - this will be in OpenSSH 7.2. Thanks!

Comment 4 Damien Miller 2016-08-02 10:41:56 AEST

Close all resolved bugs after 7.3p1 release