ssh-keyscan -H -p 1234 host > k.txt ## dump and hash hostkeys ssh-keygen -f k.txt -F '[host]:1234' ## output nothing ssh-keygen -f k.txt -F host ## output hostkeys for [host]:1234
Created attachment 3556 [details] pass the fuill [host]:port for hashing
This has been committed and will be in OpenSSH 8.9 - thanks!
thanks very much. @dtucker another minor issue of the KnownHosts matching of `ssh-keygen -F` is that 'host' and '[host]:22' are not equivalent. ssh-keyscan host > k.txt # output: host key-type ... ssh-keyscan -p 22 host # also output: host key-type ... ssh-keygen -f k.txt -F host # found hostkey as expected ssh-keygen -f k.txt -F '[host]:22' # found nothing, whereas we should also match the same key as previous command
'host' and '[host]:22' aren't supposed to be equivalent - nothing in OpenSSH should ever write '[host]:22'. We deliberately avoid appending the port if it's the default because to do so would multiply 2x the number of cases the search and hashing code needs to consider. It's too much work for no practical gain
yes, '[host]:22' should not be output to knownhosts. For matching a host, the `hostport` in ssh-keygen should also remove the default 22 port, that is '[host]:22' --> 'host'. Then the matching time remain the same, in the mean while the matching logic are consistent with generating.