When checking the known_hosts-database for an IP-address, the client is not attempting to normalize the IP. For example, connecting to the following destinations in sequence: * 10.10.220.46 * 168483886 * 0xa0adc2e * 0x0a0adc2e * 0x00a0adc2e * 0x000a0adc2e triggers the "are you sure?" warning each time -- and a separate line in the ~/.ssh/known_hosts for each -- with the same host-key, of course. To solve this, OpenSSH developers need to agree on the "canonical" representation for IPv4 (and IPv6!) addresses. Then the client-side needs to be modified to: 1. When looking up the host in the list, look for the canonical representation first. If no entry is found, look for the few other possible representations and, if found, quietly convert/merge such entry(ies) into canonical. 2. When adding a new entry, always add it in the canonical form regardless of the command-line.
There is, actually, a security implication to this bug -- a MITM attack may be made possible by sending the user to the host identified by the same IP-address in a different notation. Instead of a "the host's key has changed" *error*, they'll get a "would you like to add this key" *warning*...
This was fixed in openssh-7.7. Addresses are now canonicalised by default.
Close RESOLVED bugs with the release of openssh-8.0