Public bug reported:
Running ssh-keygen -H against known_hosts renders the fingerprints so
that a match is no longer found. The man page states this is 'safe to
use on files that mix hashed and non-hashed names'.
To reproduce on Ubuntu 16.10, with openssh-client 1:7.3p1-1:
------------------------------------------------------------------------------
1. Try to connect first time, prompted for fingerprint so add it
user@myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com,192.0.2.1' (ECDSA) to the list of known
hosts.
u...@example.com's password:
------------------------------------------------------------------------------
2. Try to connect again, no prompt for fingerprint (as expected)
user@myserver:~$ ssh example.com
u...@example.com's password:
------------------------------------------------------------------------------
4. Hash the known hosts file
user@myserver:~$ ssh-keygen -H
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old
WARNING: /home/user/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
------------------------------------------------------------------------------
5. Try to connect again, prompted for fingerprint
user@myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)?
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1679607
Title:
Hashing known_hosts renders fingerprints unusable
Status in openssh package in Ubuntu:
New
Bug description:
Running ssh-keygen -H against known_hosts renders the fingerprints so
that a match is no longer found. The man page states this is 'safe to
use on files that mix hashed and non-hashed names'.
To reproduce on Ubuntu 16.10, with openssh-client 1:7.3p1-1:
------------------------------------------------------------------------------
1. Try to connect first time, prompted for fingerprint so add it
user@myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com,192.0.2.1' (ECDSA) to the list of
known hosts.
u...@example.com's password:
------------------------------------------------------------------------------
2. Try to connect again, no prompt for fingerprint (as expected)
user@myserver:~$ ssh example.com
u...@example.com's password:
------------------------------------------------------------------------------
4. Hash the known hosts file
user@myserver:~$ ssh-keygen -H
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old
WARNING: /home/user/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
------------------------------------------------------------------------------
5. Try to connect again, prompted for fingerprint
user@myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1679607/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
