Comment 5 for bug 1668093

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Building and testing latest released upstream
https://mirror.hs-esslingen.de/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz

autoreconf && ./configure && make -j 4
And Testing local ./ssh-keygen just built.

To make sure lib dependencies are not the one that introduce this I built this on Trusty and Zesty after pulling in the "usual" build dependencies for openssh via "apt-get build-dep openssh".

openssh-7.4p1$ ./ssh-keyscan 10.245.71.133 > ~/.ssh/known_hosts
# 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

# Save the initial file with Hosts
openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step1

# Check if keys are known (working)
openssh-7.4p1$ ./ssh ubuntu@10.245.71.133
Permission denied (publickey).

# Hash entries
openssh-7.4p1$ ./ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames

# Save the first round of hashes
openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step2

# Check if keys are known (still working)
openssh-7.4p1$ ./ssh ubuntu@10.245.71.133
Permission denied (publickey).

# Re-hash breaking the content
openssh-7.4p1$ ./ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames

# Save the re-hashed file
openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step3

# Show the error of hashes now being unknown
openssh-7.4p1$ ./ssh ubuntu@10.245.71.133
The authenticity of host '10.245.71.133 (10.245.71.133)' can't be established.
ECDSA key fingerprint is SHA256:AoKckr17ygqfpIfx94bRSHAzrnVQN6DfKsHR0hySjTM.
Are you sure you want to continue connecting (yes/no)?

The Test can be driven further, the following loop shows nothing on good systems (no diff after the first hashing), while on broken systems it does rehash (and therefore show diff) over and over again.
for i in $(seq 1 20); do ssh-keygen -H; diff -Naur /root/.ssh/known_hosts.old /root/.ssh/known_hosts; done