ssh client should mention ssh-keygen on mismatched keys
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| portable OpenSSH |
Unknown
|
Unknown
|
|||
| openssh (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
The following is a very common message for ssh users to see
$ ssh kearney
The authenticity of host 'kearney (192.168.1.131)' can't be established.
RSA key fingerprint is c5:43:dd:
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kearney' (RSA) to the list of known hosts.
Warning: the RSA host key for 'kearney' differs from the key for the IP address '192.168.1.131'
Offending key for IP in /home/smoser/
Are you sure you want to continue connecting (yes/no)? yes
Almost all users have figured out that they have to open 'known_hosts', go to line 657 and delete the entry when they know that the host has changed.
What most people don't know is that they can run:
ssh-keygen -f ~/.ssh/known_hosts -R kearney
to do the same thing.
We can increase the discoverability of ssh-keygen's function for editing known_hosts by adding mention of it to the message.
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: openssh-client 1:5.6p1-2ubuntu1
ProcVersionSign
Uname: Linux 2.6.37-7-generic x86_64
Architecture: amd64
Date: Tue Dec 7 09:51:28 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100318)
ProcEnviron:
PATH=(custom, user)
LANG=en_US.utf8
SHELL=/bin/bash
SourcePackage: openssh
Related branches
- Ubuntu branches: Pending requested
-
Diff: 75 lines (+36/-1)4 files modifieddebian/changelog (+6/-0)
debian/patches/mention-ssh-keygen-on-keychange.patch (+25/-0)
debian/patches/series (+1/-0)
sshconnect.c (+4/-1)
| Scott Moser (smoser) wrote | #1 |
| Scott Moser (smoser) wrote | #2 |
| Serge Hallyn (serge-hallyn) wrote | #3 |
| Changed in openssh (Ubuntu): | |
| status: | New → Confirmed |
| Serge Hallyn (serge-hallyn) wrote | #4 |
| Changed in openssh (Ubuntu): | |
| importance: | Undecided → Low |
| Scott Moser (smoser) wrote | #5 |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in openssh (Ubuntu): | |
| status: | Confirmed → Fix Released |
The proposed patch can be seen in the branch linked (lp:~smoser/ubuntu/natty/openssh/lp-686607).
With the change applied, I get a message like:
$ ssh jimbo
@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
87:43:dd:
Please contact your system administrator.
Add correct host key in /home/smoser/
Offending key in /home/smoser/
remove with: ssh-keygen -f "/home/
RSA host key for jimbo has changed and you have requested strict checking.
Host key verification failed.