2894 – Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')

Bug 2894 - Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting to 'yes')

Summary: Set UpdateHostKeys for interactive sessions to 'ask' (or consider defaulting ...

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	7.7p1
Hardware:	Other Other

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:	2738
Blocks:	V_8_7
	Show dependency tree / graph

Reported:	2018-08-11 22:08 AEST by db+mindrot
Modified:	2022-02-25 13:59 AEDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description db+mindrot 2018-08-11 22:08:05 AEST

Set UpdateHostKeys for interactive invocations of ssh client to 'ask' by default. 


( Related this request, I notice that Fabric, http://docs.fabfile.org/en/1.14/usage/ssh.html, defaults to loading and using the known_hosts file **but** reject_unknown_hosts defaults to false (so hosts that have never "been seen" are allowed) this combined with Fabric seemingly preferring an rsa host key while I had an ecdsa host key  for $host would have allowed MITM attacks. )

Comment 1 Colin Watson 2019-01-11 22:35:54 AEDT

I ran into this recently when trying to work out how we might do host key rotation on a large SSH server.  This is a code hosting site to which you can push code over SSH, usable by anyone who's given us a public key rather than limited to a single organisation, so we can't mandate any particular client setup and the host key certificate mechanisms don't really work all that well for us either.

Life would be a lot easier in this kind of environment if UpdateHostKeys were on in some way by default.  (We'd actually probably need it to have been on by default for a few years, and something similar to be in some other popular clients too, but you have to start somewhere.)

Comment 2 Colin Watson 2019-01-11 22:38:16 AEDT

(Sorry, I submitted the last comment by accident before I'd finished writing it ...)

Is there an explanation somewhere for why UpdateHostKeys is off?  The best I could find was a git commit from 2015 saying "turn UpdateHostkeys off by default until I figure out mlarkin@'s warning message".  And I wonder if https://bugzilla.mindrot.org/show_bug.cgi?id=2631 would also need to be fixed in order to use this in practice?

Comment 3 Damien Miller 2019-01-23 11:37:41 AEDT

IIRC there might be some corner cases wrt multiple keys files. It was a bit fiddly IIRC

Comment 4 Damien Miller 2020-01-25 11:24:19 AEDT

Committed; will be in openssh-8.2

Comment 5 Damien Miller 2020-02-04 11:00:49 AEDT

I've had to revert this change.

It doesn't play well with certificate host keys and I'm unsure of the interaction with @revoked lines in known_hosts.

Both these need to be fixed before it gets enabled again. I plan to do this early in the 8.3 release cycle to give it as long as possible to bake.

Comment 6 Damien Miller 2020-02-04 11:44:22 AEDT

Prepare for 8.2 release; retarget bugs

Comment 7 Damien Miller 2020-05-08 13:39:23 AEST

Retarget bugs to 8.4 release

Comment 8 Damien Miller 2021-03-04 09:47:02 AEDT

retarget to 8.6

Comment 9 Jakub Jelen 2021-03-05 21:46:33 AEDT

AFAIK this was addressed in OpenSSH 8.5p1

https://www.openssh.com/txt/release-8.5

Comment 10 Damien Miller 2021-04-23 14:50:15 AEST

retarget after 8.6p1 release

Comment 11 Damien Miller 2021-07-02 14:02:01 AEST

The last release enabled UpdateHostkeys by default under most circumstances

Comment 12 Damien Miller 2022-02-25 13:59:39 AEDT

closing bugs resolved before openssh-8.9