ssh client should mention ssh-keygen on mismatched keys

Bug #686607 reported by Scott Moser on 2010-12-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
portable OpenSSH
Unknown
Unknown
openssh (Ubuntu)
Low
Unassigned

Bug Description

The following is a very common message for ssh users to see

$ ssh kearney
The authenticity of host 'kearney (192.168.1.131)' can't be established.
RSA key fingerprint is c5:43:dd:69:56:82:2c:30:4c:03:57:45:aa:de:26:31.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kearney' (RSA) to the list of known hosts.
Warning: the RSA host key for 'kearney' differs from the key for the IP address '192.168.1.131'
Offending key for IP in /home/smoser/.ssh/known_hosts:657
Are you sure you want to continue connecting (yes/no)? yes

Almost all users have figured out that they have to open 'known_hosts', go to line 657 and delete the entry when they know that the host has changed.

What most people don't know is that they can run:
  ssh-keygen -f ~/.ssh/known_hosts -R kearney

to do the same thing.

We can increase the discoverability of ssh-keygen's function for editing known_hosts by adding mention of it to the message.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: openssh-client 1:5.6p1-2ubuntu1
ProcVersionSignature: Ubuntu 2.6.37-7.19-generic 2.6.37-rc3
Uname: Linux 2.6.37-7-generic x86_64
Architecture: amd64
Date: Tue Dec 7 09:51:28 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100318)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: openssh

Related branches

Scott Moser (smoser) wrote :
Scott Moser (smoser) wrote :

The proposed patch can be seen in the branch linked (lp:~smoser/ubuntu/natty/openssh/lp-686607).

With the change applied, I get a message like:
$ ssh jimbo
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
87:43:dd:3b:da:8f:bd:89:0b:c1:c1:e3:7a:8b:db:4d.
Please contact your system administrator.
Add correct host key in /home/smoser/.ssh/known_hosts.uec to get rid of this message.
Offending key in /home/smoser/.ssh/known_hosts.uec:1
  remove with: ssh-keygen -f "/home/smoser/.ssh/known_hosts.uec" -R jimbo
RSA host key for jimbo has changed and you have requested strict checking.
Host key verification failed.

Serge Hallyn (serge-hallyn) wrote :

Hi Scott,

the patch looks good to me. Can you propose it for merge?

Changed in openssh (Ubuntu):
status: New → Confirmed
Serge Hallyn (serge-hallyn) wrote :

(and/or send it as a debian bug)

Changed in openssh (Ubuntu):
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:5.6p1-2ubuntu2

---------------
openssh (1:5.6p1-2ubuntu2) natty; urgency=low

  * Add mention-ssh-keygen-on-keychange.patch, mention of ssh-keygen
    in ssh connect warning (LP: #686607) https://bugzilla.mindrot.org/show_bug.cgi?id=1843
 -- Scott Moser <email address hidden> Tue, 07 Dec 2010 10:34:30 -0500

Changed in openssh (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.