ipv6 host key not added with non-default port

Status changed to 'Confirmed' because the bug affects multiple users.

I've done some investigation into this and I'm not sure that the description is quite accurate, at least not for my situation anyway.

Having just built a new server and ssh'd into it on a non-standard port with no problem I've done a bit of playing and found that the problem seems to present itself if there is already an entry in the known_hosts for the hostname that was setup with only an IPv4 connection. The fix for an individual situation is to remove the entry from known_hosts with:

ssh-keygen -R [hostname]:port

then reconnect and the appropriate entry will be added successfully.

To reproduce the problem try this:

- Rename your existing known_hosts file so you have a blank one but can return to the original when testing is complete.
- Drop your network interface, disable the IPv6 (remove the config temporarily) and re-enable the interface.
- ssh to a test host; this will place a suitable entry in the known_hosts file.
- disconnect from the host.
- Drop your network interface, re-enable IPv6 and re-enable the interface.
- ssh to the same test host; this time you should get the error message that the ECDSA host key for IP address for the IP address is 'not in list of known hosts'

There doesn't appear to be a problem the other way round, i.e. connecting with IPv6 to create the entry in known_hosts and then connecting with only IPv4.

Further investigation reveals the reason for this. If you look at the known_hosts file that was created when you first connected during that test you will find two entries. Since it was initially empty both of these were created during the one connection. Since they are hashed you can't see what they were, but it makes sense that one is for the hostname and the other for the IP address. To confirm this try the following two commands:

ssh-keygen -R [hostname]:port
ssh-keygen -R [IPv4]:port

Both entries should now have been removed. If you try connecting now (still having an empty known_hosts, but with the IPv6 enabled) you will again get two entries. This time however one of them will be for the IPv6 address. Again, to confirm this try the following two commands:

ssh-keygen -R [hostname]:port
ssh-keygen -R [IPv6]:port

So the end result of this is that, when adding a host to the known_hosts using an IPv4 connection the code is happy to ignore the fact that there is already an entry for the hostname (and IPv6 address) and simply adds the IPv4 address as well. When adding a host using an IPv6 connection the fact that there is already an entry for the hostname and one for the IPv4 address causes the code prompting the addition of an entry to known_hosts to fail. Interestingly, if you only have the entry for the hostname in known_hosts (and none for any IP) you get the same error, but the matching IPv6 address is automatically added without prompt (whereas it fails to add an entry if the IPv4 address is in there).

I would suggest that it makes sense for the error message to appear, but in both cases a prompt is required to make a change to the known_hosts file. It could be argued that this is a low security risk, but any automatic changes to known_hosts should be avoided on security grounds.

PS. Remember t...

Thanks for the thorough investigation. Simply removing the IPv4 entry and connecting with v6 does the trick! And no need to drop interfaces, just using -4 works for me. It's still a bug though (different behavior depending on v4/v6), will it be pushed upstream?

Actually, to correct my previous post, ssh-keygen -R hostname is enough to allow the v6 key to be added properly.

I hope it will be pushed upstream, I'm not in a position to do anything about that though. I've looked for a way to modify the bug to indicate that there are security implications to it, but haven't found anything yet. It would be a shame if you can only state that on logging the bug.