Bug 2894 - Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')
Summary: Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting ...
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.7p1
Hardware: Other Other
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on: 2738
Blocks: V_8_7
  Show dependency treegraph
 
Reported: 2018-08-11 22:08 AEST by db+mindrot
Modified: 2022-02-25 13:59 AEDT (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description db+mindrot 2018-08-11 22:08:05 AEST
Set UpdateHostKeys for interactive invocations of ssh client to 'ask' by default. 


( Related this request, I notice that Fabric, http://docs.fabfile.org/en/1.14/usage/ssh.html, defaults to loading and using the known_hosts file **but** reject_unknown_hosts defaults to false (so hosts that have never "been seen" are allowed) this combined with Fabric seemingly preferring an rsa host key while I had an ecdsa host key  for $host would have allowed MITM attacks. )
Comment 1 Colin Watson 2019-01-11 22:35:54 AEDT
I ran into this recently when trying to work out how we might do host key rotation on a large SSH server.  This is a code hosting site to which you can push code over SSH, usable by anyone who's given us a public key rather than limited to a single organisation, so we can't mandate any particular client setup and the host key certificate mechanisms don't really work all that well for us either.

Life would be a lot easier in this kind of environment if UpdateHostKeys were on in some way by default.  (We'd actually probably need it to have been on by default for a few years, and something similar to be in some other popular clients too, but you have to start somewhere.)
Comment 2 Colin Watson 2019-01-11 22:38:16 AEDT
(Sorry, I submitted the last comment by accident before I'd finished writing it ...)

Is there an explanation somewhere for why UpdateHostKeys is off?  The best I could find was a git commit from 2015 saying "turn UpdateHostkeys off by default until I figure out mlarkin@'s warning message".  And I wonder if https://bugzilla.mindrot.org/show_bug.cgi?id=2631 would also need to be fixed in order to use this in practice?
Comment 3 Damien Miller 2019-01-23 11:37:41 AEDT
IIRC there might be some corner cases wrt multiple keys files. It was a bit fiddly IIRC
Comment 4 Damien Miller 2020-01-25 11:24:19 AEDT
Committed; will be in openssh-8.2
Comment 5 Damien Miller 2020-02-04 11:00:49 AEDT
I've had to revert this change.

It doesn't play well with certificate host keys and I'm unsure of the interaction with @revoked lines in known_hosts.

Both these need to be fixed before it gets enabled again. I plan to do this early in the 8.3 release cycle to give it as long as possible to bake.
Comment 6 Damien Miller 2020-02-04 11:44:22 AEDT
Prepare for 8.2 release; retarget bugs
Comment 7 Damien Miller 2020-05-08 13:39:23 AEST
Retarget bugs to 8.4 release
Comment 8 Damien Miller 2021-03-04 09:47:02 AEDT
retarget to 8.6
Comment 9 Jakub Jelen 2021-03-05 21:46:33 AEDT
AFAIK this was addressed in OpenSSH 8.5p1

https://www.openssh.com/txt/release-8.5
Comment 10 Damien Miller 2021-04-23 14:50:15 AEST
retarget after 8.6p1 release
Comment 11 Damien Miller 2021-07-02 14:02:01 AEST
The last release enabled UpdateHostkeys by default under most circumstances
Comment 12 Damien Miller 2022-02-25 13:59:39 AEDT
closing bugs resolved before openssh-8.9