Date: Thu, 12 Feb 2015 10:51:08 -0500 From: Eric van Gyzen <eric@vangyzen.net> To: Alfred Bartsch <bartsch@dssgmbh.de>, stable@freebsd.org, =?windows-1252?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Subject: Re: ssh known_hosts in 10.1 Message-ID: <54DCCBEC.9040104@vangyzen.net> In-Reply-To: <54DC6048.2060902@dssgmbh.de> References: <54DBD1C2.4000108@vangyzen.net> <54DC1A78.9010500@vangyzen.net> <54DC6048.2060902@dssgmbh.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/12/2015 03:11, Alfred Bartsch wrote: > Am 12.02.2015 um 04:14 schrieb Eric van Gyzen: >> On 2/11/15 5:03 PM, Eric van Gyzen wrote: >>> -stable: >>> >>> I just updated my workstation from 10.0 to 10.1. Now, ssh is >>> prompting me to accept host keys that I accepted long ago. ssh >>> is looking for the host key in known_hosts using the name given >>> on the command line; it previously used the FQDN. ssh-keygen -F >>> confirms that known_hosts has the same key for the FQDN. >>> >>> If I recall correctly, using the FQDN in known_hosts was a >>> FreeBSD customization. Did this get dropped during the OpenSSH >>> update? >> As it turns out, OpenSSH 6.5 or 6.6 added a hostname >> canonicalization feature that--as I understand--should make >> FreeBSD's customization obsolete. Based on the description in >> ssh_config, the following should behave as ssh did in 10.0: >> >> ssh -o 'CanonicalizeHostname yes' -o 'CanonicalizeFallbackLocal >> yes' short-name >> >> However, it doesn't find the host key, because it's looking for >> the short-name, not the FQDN: >> >> The authenticity of host 'short-name (192.0.2.42)' can't be=20 >> established. >> >> Can anyone else confirm this behavior? > Yes, I can confirm this. > > I'm able to use my old known_hosts after adding two options to > /etc/ssh/ssh_config: > ... > CanonicalizeHostname yes > CanonicalDomains xx yy zz > ... > > where xx, yy, zz are the various domains of the destination hosts. That works for me, too, but it would be quite unfortunate if I had to visit all the machines on which I use the ssh client and copy the search path from /etc/resolv.conf into my ssh config (or the system's) just to preserve the behavior that has been the default for 12 years. It would seem that the intent of CanonicalizeFallbackLocal is to implement behavior similar to FreeBSD's customization of using the FQDN in known_hosts. However, ports/security/openssh-portable--currently at version 6.7p1--still has a patch for this behavior. So, perhaps the patch is still needed, but got dropped from 10.1 by the OpenSSH upgrade. This would seem plausible, since there would have been a merge conflict in that area, due to the new CanonicalizeHostname feature.=20 Applying the patch from the port to the base ssh does restore the behavio= r. Dag-Erling: The update to OpenSSH 6.5p1 (r261320) removed FreeBSD's customization to use the canonical hostname (FQDN) in the known_hosts file. Was this intentional? Could it be restored? Conveniently, patch-ssh.c from security/openssh-portable applies cleanly to releng/10.1 (and to head, I expect). Kind regards, Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54DCCBEC.9040104>