Hashing known_hosts renders fingerprints unusable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Running ssh-keygen -H against known_hosts renders the fingerprints so that a match is no longer found. The man page states this is 'safe to use on files that mix hashed and non-hashed names'.
To reproduce on Ubuntu 16.10, with openssh-client 1:7.3p1-1:
-------
1. Try to connect first time, prompted for fingerprint so add it
user@myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.
<email address hidden>'s password:
-------
2. Try to connect again, no prompt for fingerprint (as expected)
user@myserver:~$ ssh example.com
<email address hidden>'s password:
-------
4. Hash the known hosts file
user@myserver:~$ ssh-keygen -H
/home/user/
Original contents retained as /home/user/
WARNING: /home/user/
Delete this file to ensure privacy of hostnames
-------
5. Try to connect again, prompted for fingerprint
user@myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:
Are you sure you want to continue connecting (yes/no)?
I think this is the same as bug 1668093. Can you check? If so, there's a fix in the pipeline.