Date: Wed, 11 Feb 2015 22:49:20 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: ssh known_hosts in 10.1 Message-ID: <54DBDC70.1080609@FreeBSD.org> In-Reply-To: <54DBD1C2.4000108@vangyzen.net> References: <54DBD1C2.4000108@vangyzen.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --psXR5q74eCO3sClfOlbWPDEl9CVt5n386 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/02/2015 22:03, Eric van Gyzen wrote: > I just updated my workstation from 10.0 to 10.1. Now, ssh is prompting= > me to accept host keys that I accepted long ago. ssh is looking for th= e > host key in known_hosts using the name given on the command line; it > previously used the FQDN. ssh-keygen -F confirms that known_hosts has > the same key for the FQDN. >=20 > If I recall correctly, using the FQDN in known_hosts was a FreeBSD > customization. Did this get dropped during the OpenSSH update? It's a different type of SSH key. The new default in 10.1 is to use ECDSA keys (identified typically as ecdsa-sha2-nistp256 in known_hosts), when available, and it's those that SSH is prompting you about. As distinct from the DSA and RSA keys you'll have had in your known_hosts for donkey's years. You can suppress the prompts about new keys by adding appropriate SSHFP records to your DNS, although you should be running with DNSSEC enabled if you choose to do that. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --psXR5q74eCO3sClfOlbWPDEl9CVt5n386 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJU29xxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATHhUP/3rjIVy+sT+dXTbTpwMiM7TC tGaca7bp81NIvZhPCliaZqVTCBgVZ5jrWYu0fK+w1l3mf/MJbl6XY06zJ8w34JUW EW84/FsihLI9sixqJYolB60xPnBPQTYXD5EmNWVoyGNEQHTT0R0CY/fb9jrL6Qz0 5f3L4zWEKyg5PI5+sFn8lQzSqpRm9EUPTFeMdXjKlXZK3ELaTsl5McKeJ+ANIiu6 nMOmwZNbJg44eIGp3FhB69neomZCbLfVBSyQseuDZHkBS0mhaRwvAifAC+tRYD3w QKEt3cH1jebdcJqmdDDy18lYcJKfu3or7bJKbhVf8auBsvjqUGLmesGgQQiffMYN wRxyQY8ims5lOE7x2lfY8VMqWTv11+RZmgCGFGz52QiMFERVsF2FFoRBvGR5WTWX DoLzoeCMbk0Fp4eoFMDjhdM5RPm1YTiBXtOfyWM6NXEMQX26YNvearbG6IV4LYeJ LOXVFW10w0pE9iAEvJRzvJgNftewlfyRyUFPjqwZmvOwPfefKKuTbIbYo4TAntrS U6hzMyci/goRwAyNPJa6PL3r35I1Glt8R/RPw4tJ4P3jAM43qbWYnoLBsJ9I95Fk issdJHCqs+5eoQ8NP4rM/q4vgTw5Q/TeUv/9kD/pNP0Sk17B7643UC/Ctl9hmTJw HiBS9jczDG2+Q76fkiPu =qWh4 -----END PGP SIGNATURE----- --psXR5q74eCO3sClfOlbWPDEl9CVt5n386--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54DBDC70.1080609>