Date: Wed, 11 Feb 2015 21:05:12 -0500 From: Eric van Gyzen <eric@vangyzen.net> To: Matthew Seaman <matthew@FreeBSD.org>, freebsd-stable@freebsd.org Subject: Re: ssh known_hosts in 10.1 Message-ID: <54DC0A58.6090102@vangyzen.net> In-Reply-To: <54DBDC70.1080609@FreeBSD.org> References: <54DBD1C2.4000108@vangyzen.net> <54DBDC70.1080609@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/11/15 5:49 PM, Matthew Seaman wrote: > On 11/02/2015 22:03, Eric van Gyzen wrote: >> I just updated my workstation from 10.0 to 10.1. Now, ssh is prompting >> me to accept host keys that I accepted long ago. ssh is looking for the >> host key in known_hosts using the name given on the command line; it >> previously used the FQDN. ssh-keygen -F confirms that known_hosts has >> the same key for the FQDN. >> >> If I recall correctly, using the FQDN in known_hosts was a FreeBSD >> customization. Did this get dropped during the OpenSSH update? > It's a different type of SSH key. The new default in 10.1 is to use > ECDSA keys (identified typically as ecdsa-sha2-nistp256 in known_hosts), > when available, and it's those that SSH is prompting you about. As > distinct from the DSA and RSA keys you'll have had in your known_hosts > for donkey's years. I'm afraid that's not the case. I have scads of ECDSA keys in my known_hosts file. Specifically, the hosts I'm connecting to already have the exact same ECDSA key in known_hosts, with the only difference being the host name (short versus FQDN). ED25519 host keys were added in 10.1. Perhaps you're thinking of those? > You can suppress the prompts about new keys by adding appropriate SSHFP > records to your DNS, although you should be running with DNSSEC enabled > if you choose to do that. I would love to, but I'm only a user (luser?) in this environment, not an admin. Thanks for the reply, Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54DC0A58.6090102>