[Bug 1668093] Re: ssh-keygen -H corrupts already hashed entries
ChristianEhrhardt
1668093 at bugs.launchpad.net
Tue Feb 28 07:18:57 UTC 2017
Building and testing latest released upstream
https://mirror.hs-esslingen.de/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz
autoreconf && ./configure && make -j 4
And Testing local ./ssh-keygen just built.
To make sure lib dependencies are not the one that introduce this I
built this on Trusty and Zesty after pulling in the "usual" build
dependencies for openssh via "apt-get build-dep openssh".
openssh-7.4p1$ ./ssh-keyscan 10.245.71.133 > ~/.ssh/known_hosts
# 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
# Save the initial file with Hosts
openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step1
# Check if keys are known (working)
openssh-7.4p1$ ./ssh ubuntu at 10.245.71.133
Permission denied (publickey).
# Hash entries
openssh-7.4p1$ ./ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# Save the first round of hashes
openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step2
# Check if keys are known (still working)
openssh-7.4p1$ ./ssh ubuntu at 10.245.71.133
Permission denied (publickey).
# Re-hash breaking the content
openssh-7.4p1$ ./ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# Save the re-hashed file
openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step3
# Show the error of hashes now being unknown
openssh-7.4p1$ ./ssh ubuntu at 10.245.71.133
The authenticity of host '10.245.71.133 (10.245.71.133)' can't be established.
ECDSA key fingerprint is SHA256:AoKckr17ygqfpIfx94bRSHAzrnVQN6DfKsHR0hySjTM.
Are you sure you want to continue connecting (yes/no)?
The Test can be driven further, the following loop shows nothing on good systems (no diff after the first hashing), while on broken systems it does rehash (and therefore show diff) over and over again.
for i in $(seq 1 20); do ssh-keygen -H; diff -Naur /root/.ssh/known_hosts.old /root/.ssh/known_hosts; done
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1668093
Title:
ssh-keygen -H corrupts already hashed entries
Status in openssh package in Ubuntu:
Confirmed
Bug description:
xenial @ 1:7.2p2-4ubuntu2.1 on amd64 has this bug. trusty @
1:6.6p1-2ubuntu2.8 on amd64 does not have this bug. I have not tested
any other ssh versions.
The following should reproduce the issue:
#ssh-keyscan XXXX > ~/.ssh/known_hosts
# ssh root at XXXXX
Permission denied (publickey).
# ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# ssh root at XXXXXX
Permission denied (publickey).
# ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# ssh root at XXXXX
The authenticity of host 'XXXXXX' can't be established.
RSA key fingerprint is XXXXXX.
Are you sure you want to continue connecting (yes/no)?
# diff known_hosts.old known_hosts
1c1
< |1|BoAbRpUE3F5AzyprJcbjdepeDh8=|x/1AcaLxh45FlShmVQnlgx2qjxY= XXXXX
---
> |1|nTPsoLxCugQyZi3pqOa2pc/cX64=|bUH5qwZlZPp8msMGHdLtslf3Huk= XXXXX
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1668093/+subscriptions
More information about the foundations-bugs
mailing list