From owner-freebsd-stable@FreeBSD.ORG Thu Feb 12 08:12:03 2015 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ED019EDC for ; Thu, 12 Feb 2015 08:12:03 +0000 (UTC) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id AC376B36 for ; Thu, 12 Feb 2015 08:12:03 +0000 (UTC) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 8034567917; Thu, 12 Feb 2015 09:11:54 +0100 (CET) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id EdHN7qbMydqC; Thu, 12 Feb 2015 09:11:53 +0100 (CET) Received: from mail.local.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id 38E65679A6; Thu, 12 Feb 2015 09:11:53 +0100 (CET) Received: from pcadmin2.incore (pcadmin2.incore [192.168.0.149]) by mail.local.incore (Postfix) with ESMTPSA id 2C936508AE; Thu, 12 Feb 2015 09:11:53 +0100 (CET) Message-ID: <54DC6048.2060902@dssgmbh.de> Date: Thu, 12 Feb 2015 09:11:52 +0100 From: Alfred Bartsch User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Eric van Gyzen , stable@freebsd.org Subject: Re: ssh known_hosts in 10.1 References: <54DBD1C2.4000108@vangyzen.net> <54DC1A78.9010500@vangyzen.net> In-Reply-To: <54DC1A78.9010500@vangyzen.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2015 08:12:04 -0000 Am 12.02.2015 um 04:14 schrieb Eric van Gyzen: > On 2/11/15 5:03 PM, Eric van Gyzen wrote: >> -stable: >> >> I just updated my workstation from 10.0 to 10.1. Now, ssh is >> prompting me to accept host keys that I accepted long ago. ssh >> is looking for the host key in known_hosts using the name given >> on the command line; it previously used the FQDN. ssh-keygen -F >> confirms that known_hosts has the same key for the FQDN. >> >> If I recall correctly, using the FQDN in known_hosts was a >> FreeBSD customization. Did this get dropped during the OpenSSH >> update? > > As it turns out, OpenSSH 6.5 or 6.6 added a hostname > canonicalization feature that--as I understand--should make > FreeBSD's customization obsolete. Based on the description in > ssh_config, the following should behave as ssh did in 10.0: > > ssh -o 'CanonicalizeHostname yes' -o 'CanonicalizeFallbackLocal > yes' short-name > > However, it doesn't find the host key, because it's looking for > the short-name, not the FQDN: > > The authenticity of host 'short-name (192.0.2.42)' can't be > established. > > Can anyone else confirm this behavior? > > Eric _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable To > unsubscribe, send any mail to > "freebsd-stable-unsubscribe@freebsd.org" Yes, I can confirm this. I'm able to use my old known_hosts after adding two options to /etc/ssh/ssh_config: ... CanonicalizeHostname yes CanonicalDomains xx yy zz ... where xx, yy, zz are the various domains of the destination hosts. HTH Sincerely, Alfred Bartsch Data-Service GmbH