From owner-freebsd-stable@FreeBSD.ORG  Thu Feb 12 02:05:19 2015
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id BC806410;
 Thu, 12 Feb 2015 02:05:19 +0000 (UTC)
Received: from smtp.vangyzen.net (hotblack.vangyzen.net
 [IPv6:2607:fc50:1000:7400:216:3eff:fe72:314f])
 by mx1.freebsd.org (Postfix) with ESMTP id 9F654F25;
 Thu, 12 Feb 2015 02:05:19 +0000 (UTC)
Received: from coconut.local (c-24-125-214-90.hsd1.va.comcast.net
 [24.125.214.90])
 by smtp.vangyzen.net (Postfix) with ESMTPSA id 850A756467;
 Wed, 11 Feb 2015 20:05:18 -0600 (CST)
Message-ID: <54DC0A58.6090102@vangyzen.net>
Date: Wed, 11 Feb 2015 21:05:12 -0500
From: Eric van Gyzen <eric@vangyzen.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Matthew Seaman <matthew@FreeBSD.org>, freebsd-stable@freebsd.org
Subject: Re: ssh known_hosts in 10.1
References: <54DBD1C2.4000108@vangyzen.net> <54DBDC70.1080609@FreeBSD.org>
In-Reply-To: <54DBDC70.1080609@FreeBSD.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 02:05:19 -0000

On 2/11/15 5:49 PM, Matthew Seaman wrote:
> On 11/02/2015 22:03, Eric van Gyzen wrote:
>> I just updated my workstation from 10.0 to 10.1.  Now, ssh is prompting
>> me to accept host keys that I accepted long ago.  ssh is looking for the
>> host key in known_hosts using the name given on the command line; it
>> previously used the FQDN.  ssh-keygen -F confirms that known_hosts has
>> the same key for the FQDN.
>>
>> If I recall correctly, using the FQDN in known_hosts was a FreeBSD
>> customization.  Did this get dropped during the OpenSSH update?
> It's a different type of SSH key.  The new default in 10.1 is to use
> ECDSA keys (identified typically as ecdsa-sha2-nistp256 in known_hosts),
> when available, and it's those that SSH is prompting you about.  As
> distinct from the DSA and RSA keys you'll have had in your known_hosts
> for donkey's years.

I'm afraid that's not the case.  I have scads of ECDSA keys in my 
known_hosts file.  Specifically, the hosts I'm connecting to already 
have the exact same ECDSA key in known_hosts, with the only difference 
being the host name (short versus FQDN).

ED25519 host keys were added in 10.1.  Perhaps you're thinking of those?

> You can suppress the prompts about new keys by adding appropriate SSHFP
> records to your DNS, although you should be running with DNSSEC enabled
> if you choose to do that.

I would love to, but I'm only a user (luser?) in this environment, not 
an admin.

Thanks for the reply,

Eric