Can we have better ssh fingerprint collision messages?

Reindl Harald h.reindl at thelounge.net
Mon Nov 11 22:33:16 UTC 2013 

Am 11.11.2013 23:24, schrieb Chris Adams:
> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>> no - i simply took the host-key of another machine in my "known_hosts" file
>> pressed save and tried to connect to the host, maybe this happens because
>> there are more than one lines for each host (IP, only local part, FQ) but
>> that is in fact what you get
> 
> If you didn't change it to match exactly what you attempted to connect
> to (e.g. if you made an entry for "foo.mydomain.com" and then just did
> "ssh foo"), the line is not matched.  If you manually make multiple
> lines with the same host, I'm not sure what OpenSSH does (because it
> doesn't create such entries); it may only care about the first match.

boah *it does* if you connect one time to the local-part only
because a DNS suffix and one time to the FQ host

these lines are not written by hand and i replaced the key from "AAA" to "=="
of the first one with the  key off a completly different host in the file
resulting in the message i posted by ssh "harry at srv-rhsoft"

srv-rhsoft ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw==
srv-rhsoft.rhsoft.net ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw==

> If there is no match to the host, you get the output you described; if
> there is a match but the key is different, you get the original poster's
> desired output.  This is standard (and I believe non-configurable)
> OpenSSH behavior going back to the beginning (and IIRC to the original
> SSH code before OpenSSH started)

and as i have proven this is *not true* in all situations - period

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131111/2bb9529e/attachment.sig>

More information about the devel mailing list