Removing the offending host key when a server updates should be easier
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Server papercuts |
Fix Released
|
Undecided
|
Unassigned | ||
openssh (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
If I have a server at a particular IP, and I have an ssh history with that, ssh will store the key in ~/.known-hosts. If I then replace that server, but use the same IP, the server will have a new fingerprint that will conflict with the one in ~/.known-hosts.
ssh will then, properly, complain about a key mismatch and warn about a possible man in the middle attack. This is good design, however if I'm expecting this error because I knowingly changed the server, it gets difficult to work around it.
This is the current sort of warning ssh spits out:
@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@
The RSA host key for foo.server.com has changed,
and the key for the corresponding IP address 12.34.56.78
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ab:cd:ef:
Please contact your system administrator.
Add correct host key in /home/scott/
Offending key in /home/scott/
RSA host key for wine.budgetdedi
Host key verification failed.
There are actually two warnings here. Regardless, there's no clear path forward -- editing ~/.known-hosts in a text editor (eg nano) isn't useful, because the IP entries are obscured. It's also very easy to miss the fact that the warning is actually telling you a line number ("Offending key in known_hosts:15") -- this should be an explicit message "Offending key in known_hosts on line 15". That would be a simple fix, but it still makes editing larger known_hosts files a pain (especially in nano, which doesn't have obvious line numbers)
This could be even easier if ssh had some sort of switch to handle this situation. A sort of "ssh --I-changed-
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: ssh (not installed)
ProcVersionSign
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelMo
Architecture: amd64
Date: Sun Oct 17 03:04:06 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Beta amd64 (20100901.1)
ProcEnviron:
LANG=en_US.utf8
SHELL=/bin/bash
SourcePackage: openssh
description: | updated |
Changed in openssh (Ubuntu): | |
importance: | Undecided → Wishlist |
I have to agree that the way the error is printed is quite confusing.
Just replacing the '$file:$line' with '$file on line $line' would be a very simple usability improvement.
Marking Confirmed.