Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changed fingerprint prompt and duplicate ECDSA host key entries in ~/.ssh/known_hosts #8867

Closed
cyberduck opened this issue Jun 7, 2015 · 17 comments

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Jun 7, 2015

59a3ee5 created the issue

I just upgraded to the latest snapshot, and still see this when connecting to hosts of mine

The fingerprint for the ECDSA key sent by the server is bc:d5:5d:36:a4:88:05:47:3d:8c:c0:a1:c2:79:5b:02.

I see this with many Ubuntu 14 VPS hosts which I connect to (not sure if they happen on CentOS hosts)

I do see new lines added to my known_hosts, often with the same signature

|1|9zJQi1kgtbav4hUbTpynNYrOMfk=|3iKfANR/mUwO+nnP30P80h9UPok= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABABPP3MOu9kj6PR4UaRTZ/2tt2G79lZ6E9vz6ijp8bkcuKoLTkY4K14NO2TWB53IWd6Jw8G+d2MmbL0+DCqZCiNQ==
|1|8VsGSG228W/EYlnCmbJTy8mhtuI=|I92YUz202+wnR29bC6pXyCQLRyM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABABPP3MOu9kj6PR4UaRTZ/2tt2G79lZ6E9vz6ijp8bkcuKoLTkY4K14NO2TWB53IWd6Jw8G+d2MmbL0+DCqZCiNQ==

I don't know that I have any fancy setup causing the IP addresses/hostname to be obscured, and wouldn't care if i didn't anymore but right now I'm getting stopped, having to say OK to the changed ECDSA key every time.

I'm not sure if/how this is different from related issues:


Attachments

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 13, 2015

@dkocher commented

Replying to [8867 YesThatAllen]:

I don't know that I have any fancy setup causing the IP addresses/hostname to be obscured, and wouldn't care if i didn't anymore but right now I'm getting stopped, having to say OK to the changed ECDSA key every time.

Hostnames are written to the known_hosts file with hashed representation as this prevents identifying information from being disclosed from the known_hosts file. Refer to the ssh-keygen -H option.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 13, 2015

@dkocher commented

Can you find any related output in the system.log (/Applications/Utilities/Console.app)? Please try if you can reproduce this error when moving aside the ~/.ssh/known_hosts file, starting from scratch with an empty configuration.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 14, 2015

59a3ee5 commented

steps to repro on my 10.9.5 box running Cyberduck Version 4.8 (17722)

  • mv ~./ssh/known_hosts ~./ssh/known_hosts.sav
  • Connect to a saved cyberduck bookmark
  • accept the host key -check "always": |1|WLOvbk6OX0BaEO8BRlw1RkFyby8=|TfTJLD9oc1zu0DABUA4Z8MdaZ0g= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABABPP3MOu9kj6PR4UaRTZ/2tt2G79lZ6E9vz6ijp8bkcuKoLTkY4K14NO2TWB53IWd6Jw8G+d2MmbL0+DCqZCiNQ==
  • navigate around, open files using command-k, all is well.
  • disconnect
  • do other things.. use gitbox to connect to gihub, etc. (4 new lines are created in my known hosts file
  • reconnect to the initial host via the bookmark,
  • get prompted for the ssh host again.

see today's attached known_hosts file

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 14, 2015

@dkocher commented

I tried to reproduce the issue following your steps (thanks for the detailed instructions!) but couldn't when connecting to an EC2 instance with ECDSA keys followed by connecting to a host with RSA keys. Can you let me know the hostname of TfTJLD9oc1zu0DABUA4Z8MdaZ0g=.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 15, 2015

59a3ee5 commented

sure, it's www.watchmanmonitoring.com

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 15, 2015

59a3ee5 commented

I should add that I don't think my connections to other RSA hosts made a difference other than to give Cyberduck time to forget about the first key it saved.

it seems to doing the "math" wrong each new connection, not recognizing that the host was already saved.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 15, 2015

@dkocher commented

I can reproduce this issue when connecting to 173.230.133.218.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 16, 2015

@dkocher commented

Add test in df68d8e.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 16, 2015

@dkocher commented

Replying to [comment:11 dkocher]:

Add test in df68d8e.
The test is against OpenSSH_6.2 whereas 173.230.133.218 runs OpenSSH_6.6.1p1.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Aug 24, 2015

@dkocher commented

Add test in 849fc8e.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 4, 2015

@dkocher commented

#9092 closed as duplicate.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 17, 2015

@dkocher commented

Reference upstream #225

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Nov 20, 2015

@dkocher commented

In 18540.

Loading

@cyberduck cyberduck closed this Nov 20, 2015
@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 22, 2016

@dkocher commented

#9289 closed as duplicate.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Feb 24, 2016

@dkocher commented

#9297 closed as duplicate.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Aug 24, 2016

@dkocher commented

In 21313.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Oct 18, 2016

@dkocher commented

#9481 closed as duplicate.

Loading

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants