Bug 2479 - ssh-keyscan non-standard port broken
Summary: ssh-keyscan non-standard port broken
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keyscan (show other bugs)
Version: 6.9p1
Hardware: amd64 Linux
: P5 normal
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_7_2
  Show dependency treegraph
 
Reported: 2015-10-13 08:16 AEDT by micah
Modified: 2016-08-02 10:41 AEST (History)
2 users (show)

See Also:

Attachments
expand each host name/address individually (1003 bytes, patch)
2015-10-23 13:36 AEDT, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description micah 2015-10-13 08:16:31 AEDT 
If one passes the -p option for a non-standard port to ssh-keyscan when
using the -f option to pull hosts from a file, it results in a
known_hosts entry that is incorrect:

micah@muck$ cat /tmp/try 
199.254.238.47 micah.riseup.net,199.254.238.47

micah@muck$ ssh-keyscan -t rsa -p 4422 -f /tmp/try > /tmp/known

micah@muck$ cat /tmp/known
[micah.riseup.net,199.254.238.47]:4422 ssh-rsa DATA

It seems like putting a list of hostnames,ips inside of the [] doesn't
work:

micah@muck:dotfiles$ ssh -oUserKnownHostsFile=/tmp/known micah@micah.riseup.net -p 4422
The authenticity of host '[micah.riseup.net]:4422 ([199.254.238.47]:4422)' can't be established.
RSA key fingerprint is SHA256:CbHIxWJjFKJk5V+G09XeiABqIRTooC646ZfSl7FRp2w.
Are you sure you want to continue connecting (yes/no)?

It should be constructed like this:

[micah.riseup.net]:4422,[199.254.238.47]:4422 ssh-rsa DATA
Comment 1 Damien Miller 2015-10-23 13:36:13 AEDT 
Created attachment 2735 [details]
expand each host name/address individually

I think ssh-keyscan should expand the host list when the port number is non-default or host hashing is in use. 

The attached diff tries to do this:

# 203.217.30.81:22 SSH-2.0-OpenSSH_7.1
fuyu.mindrot.org,203.217.30.81 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==

[djm@demiurge openssh]$ ./ssh-keyscan -t rsa -p 2222 -f /tmp/x1 
# 203.217.30.81:2222 SSH-2.0-OpenSSH_7.1
[fuyu.mindrot.org]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==
[203.217.30.81]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==

[djm@demiurge openssh]$ ./ssh-keyscan -t rsa -H -f /tmp/x1 
# 203.217.30.81:22 SSH-2.0-OpenSSH_7.1
|1|ym8qXXurgjs0t6rZpJ9SkFLjnJU=|cIa7BLNfWuInKIvRxiHQtIkl6wA= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==
|1|lxsMXgGpGeMPNR+9jLVBz9c26es=|LaJR3u29ThoOaekgMCVPTrQhVhU= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==


# 203.217.30.81:2222 SSH-2.0-OpenSSH_7.1
[|1|SOCfZlLsozka+6Ib4TiIFPlBSVs=|xie/tboEBMz8az3tkmZ5Zmd0LdY=]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==
[|1|WQ2HkjmJ9aS4cAswWlMu0b3Grrk=|TeVMzH5/XW1sVttL0652gM5rr2c=]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtNSRpUm2RRL2A1XPw2zFXg+t6zfAtuuDcC/M0mbwBgbwKkMAhv5diC22U5VOsmeSs8ufbuDVIZ5PL1jllbuvT5XSVwxTPiLaOHKnMLKtn97dlqWwW2SnC6Yn4zejJpIFw0+KcX+euJZhU7bqj7ocQ4To+igThYl2U1vTrpTImsz8I2OYzcA2523EbEsLlnxTEL813norSYj3jwUaUQN9iz3ybcuLk9XbwIazN2iXFU1mQP6tzJlUHjhVBXeM7gSsir4mJC72tYHoL+v9fUakFUEowXkJnmj+o8uNiNKFjQt66s23/HjQvujMzfYG0uV2yHwjsvWeo3h138HnHeo+5Q==
Comment 2 Darren Tucker 2015-10-23 14:03:49 AEDT 
Comment on attachment 2735 [details]
expand each host name/address individually

>+	if (!key)

style(9) says this should be tested against NULL since it's not a boolean.

>+		return;
>+	if (!hash_hosts

Ditto.

otherwise ok.
Comment 3 Damien Miller 2015-10-25 09:56:52 AEDT 
Patch applied - this will be in OpenSSH 7.2. Thanks!
Comment 4 Damien Miller 2016-08-02 10:41:56 AEST 
Close all resolved bugs after 7.3p1 release