From owner-freebsd-stable@FreeBSD.ORG Wed Feb 11 22:49:27 2015 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 97EF383F for ; Wed, 11 Feb 2015 22:49:27 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 273D09B9 for ; Wed, 11 Feb 2015 22:49:27 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.100]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t1BMnL5R054054 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 11 Feb 2015 22:49:21 GMT (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t1BMnL5R054054 Authentication-Results: smtp.infracaninophile.co.uk/t1BMnL5R054054; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral Message-ID: <54DBDC70.1080609@FreeBSD.org> Date: Wed, 11 Feb 2015 22:49:20 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: ssh known_hosts in 10.1 References: <54DBD1C2.4000108@vangyzen.net> In-Reply-To: <54DBD1C2.4000108@vangyzen.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="psXR5q74eCO3sClfOlbWPDEl9CVt5n386" X-Virus-Scanned: clamav-milter 0.98.6 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2015 22:49:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --psXR5q74eCO3sClfOlbWPDEl9CVt5n386 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/02/2015 22:03, Eric van Gyzen wrote: > I just updated my workstation from 10.0 to 10.1. Now, ssh is prompting= > me to accept host keys that I accepted long ago. ssh is looking for th= e > host key in known_hosts using the name given on the command line; it > previously used the FQDN. ssh-keygen -F confirms that known_hosts has > the same key for the FQDN. >=20 > If I recall correctly, using the FQDN in known_hosts was a FreeBSD > customization. Did this get dropped during the OpenSSH update? It's a different type of SSH key. The new default in 10.1 is to use ECDSA keys (identified typically as ecdsa-sha2-nistp256 in known_hosts), when available, and it's those that SSH is prompting you about. As distinct from the DSA and RSA keys you'll have had in your known_hosts for donkey's years. You can suppress the prompts about new keys by adding appropriate SSHFP records to your DNS, although you should be running with DNSSEC enabled if you choose to do that. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --psXR5q74eCO3sClfOlbWPDEl9CVt5n386 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJU29xxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATHhUP/3rjIVy+sT+dXTbTpwMiM7TC tGaca7bp81NIvZhPCliaZqVTCBgVZ5jrWYu0fK+w1l3mf/MJbl6XY06zJ8w34JUW EW84/FsihLI9sixqJYolB60xPnBPQTYXD5EmNWVoyGNEQHTT0R0CY/fb9jrL6Qz0 5f3L4zWEKyg5PI5+sFn8lQzSqpRm9EUPTFeMdXjKlXZK3ELaTsl5McKeJ+ANIiu6 nMOmwZNbJg44eIGp3FhB69neomZCbLfVBSyQseuDZHkBS0mhaRwvAifAC+tRYD3w QKEt3cH1jebdcJqmdDDy18lYcJKfu3or7bJKbhVf8auBsvjqUGLmesGgQQiffMYN wRxyQY8ims5lOE7x2lfY8VMqWTv11+RZmgCGFGz52QiMFERVsF2FFoRBvGR5WTWX DoLzoeCMbk0Fp4eoFMDjhdM5RPm1YTiBXtOfyWM6NXEMQX26YNvearbG6IV4LYeJ LOXVFW10w0pE9iAEvJRzvJgNftewlfyRyUFPjqwZmvOwPfefKKuTbIbYo4TAntrS U6hzMyci/goRwAyNPJa6PL3r35I1Glt8R/RPw4tJ4P3jAM43qbWYnoLBsJ9I95Fk issdJHCqs+5eoQ8NP4rM/q4vgTw5Q/TeUv/9kD/pNP0Sk17B7643UC/Ctl9hmTJw HiBS9jczDG2+Q76fkiPu =qWh4 -----END PGP SIGNATURE----- --psXR5q74eCO3sClfOlbWPDEl9CVt5n386--