Bug 2631 - Hostkey update and rotation - No IP entries added to known_hosts
Summary: Hostkey update and rotation - No IP entries added to known_hosts
Status: CLOSED WORKSFORME
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.3p1
Hardware: amd64 Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-26 15:42 AEDT by Lance Kinley
Modified: 2021-04-23 14:55 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lance Kinley 2016-10-26 15:42:44 AEDT 
When UpdateHostKeys=yes/ask, only hostname based entries are added to known_hosts file when learning new hostkeys.

Shouldn't IP entries also be added?

Consider the following scenario:

User connects for the first time, specifying a HostKeyAlgorithms setting that is not first in the default list (rsa-sha2-256 in this case), HashKnownHosts=yes, and UpdateHostKeys=yes.  Server sends key, it gets recorded in known_hosts both under the hostname and the IP.  User authenticates and additional keys are learned and stored under only the hostname.

A second connection is made with the default HostKeyAlgorithms value.  A warning and prompt is issued because the ECDSA key differs from the RSA key stored under the IP address.

This warning and prompt would be avoided if the hostkey update and rotation process recorded a known_hosts entry with the IP address, too.

Is this intentional?
Comment 1 Damien Miller 2019-07-19 15:15:39 AEST 
UpdateKnownhosts does record IP addresses when CheckHostIP=yes. I just double checked and it is working.
Comment 2 Damien Miller 2021-04-23 14:55:49 AEST 
closing resolved bugs as of 8.6p1 release