Bug 2145 - ssh-keygen -R doesn't work when there are entries for "proxycommand" keys
Summary: ssh-keygen -R doesn't work when there are entries for "proxycommand" keys
Status: CLOSED WORKSFORME
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 6.2p1
Hardware: Other Linux
: P5 trivial
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-29 06:29 AEST by Hugh Davenport
Modified: 2015-08-11 23:05 AEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hugh Davenport 2013-08-29 06:29:31 AEST
I can't seem to reproduce the same style entry, but below is snippets that should show what is wrong.

Basically the gist is that example.com is in known hosts, and is a hop point for a proxycommand for foo.example.com which has a explicit hostname of an ip address. I tried to recreate it, but my current version of ssh automatically puts the hashed host entry, not the ip,<no hostip...> entry. They probably came from an earlier version of ssh.

$ ssh-keygen -f "/home/hdavenport/.ssh/known_hosts" -R example.com
# Host example.com found: line 1 type RSA
line 2 invalid key: 192.168.x.x,<no...
/home/hdavenport/.ssh/known_hosts is not a valid known_hosts file.
Not replacing existing known_hosts file because of errors
$ cat /home/hdavenport/.ssh/known_hosts
|1|hosthash ssh-rsa keyhash
192.168.x.x,<no hostip for proxy command> ssh-rsa keyhash
$ cat /home/hdavenport/.ssh/config
host foo.example.com
  proxycommand ssh -q example.com nc -q0 %h %p
  hostname 192.168.x.x
Comment 1 mindrot.org 2015-02-12 06:57:41 AEDT
The invalid known_hosts entries are created by older versions of the Ruby library net-ssh: https://rubygems.org/gems/net-ssh

The bug is fixed in version 2.9.2 of net-ssh.
Comment 2 Damien Miller 2015-02-12 19:36:24 AEDT
This is working as intended: if the known_hosts file is messed up then ssh-keygen -R bails out instead of blundering ahead and destroying it further.

We've fixed the bug in ssh that put the "<no hostip for proxy command>" entries in known_hosts to begin with a while back IIRC.
Comment 3 Damien Miller 2015-08-11 23:05:41 AEST
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1