Created attachment 1972 [details] patch ssh should mention ssh-keyscan when it warns about remote host fingerprint. I find that many people are unaware that ssh-keygen can remove lines from known_hosts for them. adding a copy-and-pasteable message in the warning will make users more aware and make it easier for them to do so.
I'd also sent this to the mailing list: http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-December/029084.html
Created attachment 1977 [details] use ip/host not ip_line/host_line I think Scott picked out the wrong version of this patch to send; -R <ip_line> can't possibly work. Here's a corrected version.
I think encouraging cut-and-pasting something in response to a key mismatch warning instead of having peopek *thinking* about the key change and why it changed is
(In reply to comment #3) > I think encouraging cut-and-pasting something in response to a key > mismatch warning instead of having peopek *thinking* about the key > change and why it changed is bah. "I think encouraging cut-and-pasting something in response to a key mismatch warning instead of having people *thinking* about the key change and why it changed is not a good idea"
I expected the "make it hard to do so people know what they're doing response". I really don't think its all that valid. The user is still forced to take manual action, finding, selecting, and pasting the command line. The "finding" is non-trivial, and in the output message (with example below), the most obvious and important warning message still stands out. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is c5:43:dd:69:56:82:2c:30:4c:03:57:45:aa:de:26:31. Please contact your system administrator. Add correct host key in /home/smoser/.ssh/known_hosts.uec to get rid of this message. Offending key in /home/smoser/.ssh/known_hosts.uec:1 remove with: ssh-keygen -f "/home/smoser/.ssh/known_hosts.uec" -R kearney RSA host key for kearney has changed and you have requested strict checking. Host key verification failed.
But in reality it's probably still simple the case the novice users may assume that text/command to be a recommendation and ignore the previous warnings. Anyway... error messages aren't the proper place to tell users any possible reasonable next-step to do. Therefore one has documentation and how-tos. So your motivation is probably in fact to make that for a quick copy&paste, and that shouldn't be part of OpenSSH.
Sorrym, but having the error message suggest something that is exactly the wrong thing to do in the case of an active MITM attack is not something we want to do.
Close all resolved bugs after 7.3p1 release