Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Feb 2015 09:11:52 +0100
From:      Alfred Bartsch <bartsch@dssgmbh.de>
To:        Eric van Gyzen <eric@vangyzen.net>, stable@freebsd.org
Subject:   Re: ssh known_hosts in 10.1
Message-ID:  <54DC6048.2060902@dssgmbh.de>
In-Reply-To: <54DC1A78.9010500@vangyzen.net>
References:  <54DBD1C2.4000108@vangyzen.net> <54DC1A78.9010500@vangyzen.net>
next in thread | previous in thread | raw e-mail | index | archive | help 


Am 12.02.2015 um 04:14 schrieb Eric van Gyzen:
> On 2/11/15 5:03 PM, Eric van Gyzen wrote:
>> -stable:
>> 
>> I just updated my workstation from 10.0 to 10.1.  Now, ssh is
>> prompting me to accept host keys that I accepted long ago.  ssh
>> is looking for the host key in known_hosts using the name given
>> on the command line; it previously used the FQDN.  ssh-keygen -F
>> confirms that known_hosts has the same key for the FQDN.
>> 
>> If I recall correctly, using the FQDN in known_hosts was a
>> FreeBSD customization.  Did this get dropped during the OpenSSH
>> update?
> 
> As it turns out, OpenSSH 6.5 or 6.6 added a hostname
> canonicalization feature that--as I understand--should make
> FreeBSD's customization obsolete.  Based on the description in
> ssh_config, the following should behave as ssh did in 10.0:
> 
> ssh -o 'CanonicalizeHostname yes' -o 'CanonicalizeFallbackLocal
> yes' short-name
> 
> However, it doesn't find the host key, because it's looking for
> the short-name, not the FQDN:
> 
> The authenticity of host 'short-name (192.0.2.42)' can't be 
> established.
> 
> Can anyone else confirm this behavior?
> 
> Eric _______________________________________________ 
> freebsd-stable@freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable To
> unsubscribe, send any mail to
> "freebsd-stable-unsubscribe@freebsd.org"

Yes, I can confirm this.

I'm able to use my old known_hosts after adding two options to
/etc/ssh/ssh_config:
...
  CanonicalizeHostname yes
  CanonicalDomains xx yy zz
...

where xx, yy, zz are the various domains of the destination hosts.

HTH

Sincerely,
Alfred Bartsch
Data-Service GmbH

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54DC6048.2060902>