[Bug 1668093] [NEW] ssh-keygen -H corrupts already hashed entries

Launchpad Bug Tracker 1668093 at bugs.launchpad.net
Wed Mar 15 14:39:06 UTC 2017 

You have been subscribed to a public bug by ChristianEhrhardt (paelzer):

[Impact]

 * re-execution of ssh-keygen -H can clobber known-hosts
 * Due to that users might get spurious re-warnings of known systems. For Automation it might be worse as it might stop to work when re-executed.

 * This is a regression from Trusty (working) to Xenial (fail) upgrade
due to an upstream bug in the versions we merged.

 * This is a backport of the upstream fix

[Test Case]

 * Pick a Host IP to scan keys from that you can reach and replies with SSH, then run the following trivial loop:
  $ ssh-keyscan ${IP} > ~/.ssh/known_hosts; for i in $(seq 1 20); do ssh-keygen -H; diff -Naur ~/.ssh/known_hosts.old ~/.ssh/known_hosts; done

 * Expected: no diff reported, since already hashed entries should be left as-is
 * Without fix: - diff in the hashes

[Regression Potential]

 * The fix is upstream and soon in Debian as well, so we are not custom
diverting here.

 * The risk should be minimal as this only changes ssh-keygen so despite
openssh being really critical this doesn't affect ssh itself at all.

[Other Info]
 
 * n/a


---

xenial @ 1:7.2p2-4ubuntu2.1 on amd64 has this bug. trusty @
1:6.6p1-2ubuntu2.8 on amd64 does not have this bug. I have not tested
any other ssh versions.

The following should reproduce the issue:

#ssh-keyscan XXXX > ~/.ssh/known_hosts
# ssh root at XXXXX
Permission denied (publickey).
# ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# ssh root at XXXXXX
Permission denied (publickey).
# ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames
# ssh root at XXXXX
The authenticity of host 'XXXXXX' can't be established.
RSA key fingerprint is XXXXXX.
Are you sure you want to continue connecting (yes/no)?

# diff known_hosts.old known_hosts
1c1
< |1|BoAbRpUE3F5AzyprJcbjdepeDh8=|x/1AcaLxh45FlShmVQnlgx2qjxY= XXXXX
---
> |1|nTPsoLxCugQyZi3pqOa2pc/cX64=|bUH5qwZlZPp8msMGHdLtslf3Huk= XXXXX

** Affects: openssh (Ubuntu)
     Importance: High
         Status: Fix Committed

** Affects: openssh (Ubuntu Xenial)
     Importance: High
         Status: Triaged

** Affects: openssh (Ubuntu Yakkety)
     Importance: High
         Status: Triaged

** Affects: openssh (Debian)
     Importance: Unknown
         Status: Fix Committed


** Tags: needs-upstream-report patch server-next
-- 
ssh-keygen -H corrupts already hashed entries
https://bugs.launchpad.net/bugs/1668093
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list