Hashing known_hosts renders fingerprints unusable

Bug #1679607 reported by Chris on 2017-04-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Undecided
Unassigned

Bug Description

Running ssh-keygen -H against known_hosts renders the fingerprints so that a match is no longer found. The man page states this is 'safe to use on files that mix hashed and non-hashed names'.

To reproduce on Ubuntu 16.10, with openssh-client 1:7.3p1-1:
------------------------------------------------------------------------------
1. Try to connect first time, prompted for fingerprint so add it
user@myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com,192.0.2.1' (ECDSA) to the list of known hosts.
<email address hidden>'s password:
------------------------------------------------------------------------------
2. Try to connect again, no prompt for fingerprint (as expected)
user@myserver:~$ ssh example.com
<email address hidden>'s password:
------------------------------------------------------------------------------
4. Hash the known hosts file
user@myserver:~$ ssh-keygen -H
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old
WARNING: /home/user/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
------------------------------------------------------------------------------
5. Try to connect again, prompted for fingerprint
user@myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)?

Colin Watson (cjwatson) wrote :

I think this is the same as bug 1668093. Can you check? If so, there's a fix in the pipeline.

Chris (gaddman) wrote :

Ah yes, same thing, sorry about that - default (simple) search doesn't show bugs with Fix Released so I didn't spot it. Will mark as duplicate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers