[Bug 1679607] [NEW] Hashing known_hosts renders fingerprints unusable
Chris
1679607 at bugs.launchpad.net
Tue Apr 4 10:19:36 UTC 2017
Public bug reported:
Running ssh-keygen -H against known_hosts renders the fingerprints so
that a match is no longer found. The man page states this is 'safe to
use on files that mix hashed and non-hashed names'.
To reproduce on Ubuntu 16.10, with openssh-client 1:7.3p1-1:
------------------------------------------------------------------------------
1. Try to connect first time, prompted for fingerprint so add it
user at myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com,192.0.2.1' (ECDSA) to the list of known hosts.
user at example.com's password:
------------------------------------------------------------------------------
2. Try to connect again, no prompt for fingerprint (as expected)
user at myserver:~$ ssh example.com
user at example.com's password:
------------------------------------------------------------------------------
4. Hash the known hosts file
user at myserver:~$ ssh-keygen -H
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old
WARNING: /home/user/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
------------------------------------------------------------------------------
5. Try to connect again, prompted for fingerprint
user at myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)?
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1679607
Title:
Hashing known_hosts renders fingerprints unusable
Status in openssh package in Ubuntu:
New
Bug description:
Running ssh-keygen -H against known_hosts renders the fingerprints so
that a match is no longer found. The man page states this is 'safe to
use on files that mix hashed and non-hashed names'.
To reproduce on Ubuntu 16.10, with openssh-client 1:7.3p1-1:
------------------------------------------------------------------------------
1. Try to connect first time, prompted for fingerprint so add it
user at myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com,192.0.2.1' (ECDSA) to the list of known hosts.
user at example.com's password:
------------------------------------------------------------------------------
2. Try to connect again, no prompt for fingerprint (as expected)
user at myserver:~$ ssh example.com
user at example.com's password:
------------------------------------------------------------------------------
4. Hash the known hosts file
user at myserver:~$ ssh-keygen -H
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old
WARNING: /home/user/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
------------------------------------------------------------------------------
5. Try to connect again, prompted for fingerprint
user at myserver:~$ ssh example.com
The authenticity of host 'example.com (192.0.2.1)' can't be established.
ECDSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8..
Are you sure you want to continue connecting (yes/no)?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1679607/+subscriptions
More information about the foundations-bugs
mailing list