Bug#704170: openssh-server: MITM attack warning should indicate old/new IPs
Package: openssh-server
Version: 1:6.0p1-4
Severity: wishlist
I recently re-added the
127.0.1.1 hostname.domain hostname
line to my /etc/hosts on my ssh server (I was previously leaving the hostname resolution up to dns)
and discovered that this cause an alarming and confusing message from ssh on clients.
The message was that something nasty might be happening, could MITM, or host key had just changed.
I didn't change the host key, and I tracked the problem down to the change in IP and dns (from the server) resolving the server hostname as a loopback address, but it had me worried for a while.
A better message would indicate that that the IP had changed (and what IP was current/old). In my case the IP was being resolved as 127.0.1.1 which meant I was being pointed at the client instead of the host, so the name (hostname.domain) didn't match the key returned by 127.0.1.1 (the client instead of the host).
I've since changed /etc/hosts again since obviously the 127.0.1.1 address causes issues in my scenario.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii dpkg 1.16.10
ii libc6 2.13-38
ii libcomerr2 1.42.5-1
ii libgssapi-krb5-2 1.10.1+dfsg-4+nmu1
ii libkrb5-3 1.10.1+dfsg-4+nmu1
ii libpam-modules 1.1.3-7.1
ii libpam-runtime 1.1.3-7.1
ii libpam0g 1.1.3-7.1
ii libselinux1 2.1.9-5
ii libssl1.0.0 1.0.1e-2
ii libwrap0 7.6.q-24
ii lsb-base 4.1+Debian8
ii openssh-client 1:6.0p1-4
ii procps 1:3.3.3-2
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages openssh-server recommends:
ii ncurses-term 5.9-10
ii openssh-blacklist 0.4.1+nmu1
ii openssh-blacklist-extra 0.4.1+nmu1
ii xauth 1:1.0.7-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
ii ssh-askpass 1:1.2.4.1-9
pn ufw <none>
-- debconf information:
ssh/vulnerable_host_keys:
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
Reply to: