Can we have better ssh fingerprint collision messages?

James Hogarth james.hogarth at
Tue Nov 12 11:25:39 UTC 2013

On 12 November 2013 09:40, Reindl Harald <h.reindl at> wrote:

> jesus christ *from* "AAA" *to* "==" means *the whole valid key*
> because quote two complete keys is a little bit long
> so what is there invalid
Reindl please calm down ... step away from the keyboard then come back in
fresh temperament.

If you re-read your original message it is somewhat ambiguous as it can
easily be read (and indeed I first read it as) that you changed AAA to ==
... ie just those characters.

> you ssh command must have some magic that it can distinct if the
> server changed it's key or the one in "known_hosts"
Did you edit the key for both the IP address and the hostname in

It's feasible that if you only changed the hostname and not the IP based
one behaviour would be different.

Indeed if I just ssh-keygen -R fqdn and then ssh to a box after the key has
changed there will be similar complaints as it verifies on the latter too.

> and now you can explain me where is the difference in the key on the
> server has changed and having a different but valid key than the
> servers one on "known_hosts"

It can't... but you have to be sure you have edited any entries that may
apply and that it is absolutely correct on the change ... frankly it's
quicker and simpler to test via changing the target host's key rather than
your known_hosts.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the devel mailing list