Can we have better ssh fingerprint collision messages?
h.reindl at thelounge.net
Mon Nov 11 22:33:16 UTC 2013
Am 11.11.2013 23:24, schrieb Chris Adams:
> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>> no - i simply took the host-key of another machine in my "known_hosts" file
>> pressed save and tried to connect to the host, maybe this happens because
>> there are more than one lines for each host (IP, only local part, FQ) but
>> that is in fact what you get
> If you didn't change it to match exactly what you attempted to connect
> to (e.g. if you made an entry for "foo.mydomain.com" and then just did
> "ssh foo"), the line is not matched. If you manually make multiple
> lines with the same host, I'm not sure what OpenSSH does (because it
> doesn't create such entries); it may only care about the first match.
boah *it does* if you connect one time to the local-part only
because a DNS suffix and one time to the FQ host
these lines are not written by hand and i replaced the key from "AAA" to "=="
of the first one with the key off a completly different host in the file
resulting in the message i posted by ssh "harry at srv-rhsoft"
> If there is no match to the host, you get the output you described; if
> there is a match but the key is different, you get the original poster's
> desired output. This is standard (and I believe non-configurable)
> OpenSSH behavior going back to the beginning (and IIRC to the original
> SSH code before OpenSSH started)
and as i have proven this is *not true* in all situations - period
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 263 bytes
Desc: OpenPGP digital signature
More information about the devel