Bug#801664: openssh-client: "ssh-keygen -f ... -R" proposed when hostkey doesn't match is interpreted by shells
Package: openssh-client
Version: 1:6.9p1-2
Severity: normal
Hi,
when host key does not match, the SSH client shows the following message
on my machine:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:b5E6hF7y8kdkILw9eHdLg3Jf7AhKE+iBcPFv+gnxnlo.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this
message.
Offending ECDSA key in /home/user/.ssh/known_hosts:650
remove with:
ssh-keygen -f "/home/user/.ssh/known_hosts" -R [localhost]:2222
ECDSA host key for [localhost]:2222 has changed and you have requested
strict checking.
Host key verification failed.
(it happens quite often when I use VMs in VirtualBox and they use the same
port)
My problem is that when I copy-paste the line to *zsh* shell, I get:
[ /tmp ] $ ssh-keygen -f "/home/user/.ssh/known_hosts" -R [localhost]:2222
zsh: no matches found: [localhost]:2222
Obviously, that's because [] is interpreted by zsh (and maybe other shells too,
although bash is fine with that). This is likely to make problems with other
IPv6 addresses too.
My proposal is to modify the current patch to use '' instead, around the file
and the host. I think that '' ensures that the content between them is not
interpreted in any way.
The modified patch I attach here, does precisely that.
Cheers,
Tomasz
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-client depends on:
ii adduser 3.113+nmu3
ii dpkg 1.18.3
ii libc6 2.19-22
ii libedit2 3.1-20150325-1
ii libgssapi-krb5-2 1.13.2+dfsg-2
ii libselinux1 2.3-2+b1
ii libssl1.0.0 1.0.2d-1
ii passwd 1:4.2-3
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-client recommends:
ii xauth 1:1.0.9-1
Versions of packages openssh-client suggests:
ii keychain 2.8.1-0.1
pn libpam-ssh <none>
pn monkeysphere <none>
ii ssh-askpass 1:1.2.4.1-9
ii ssh-askpass-fullscreen [ssh-askpass] 0.3-3.1
ii ssh-askpass-gnome [ssh-askpass] 1:6.9p1-2
-- Configuration Files:
/etc/ssh/ssh_config changed [not included]
-- no debconf information
>From 68580f4a03088e52e1d680389a35655c85613c7a Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2015-09-08
Patch-Name: mention-ssh-keygen-on-keychange.patch
---
sshconnect.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1078,9 +1078,13 @@
error("%s. This could either mean that", key_msg);
error("DNS SPOOFING is happening or the IP address for the host");
error("and its host key have changed at the same time.");
- if (ip_status != HOST_NEW)
+ if (ip_status != HOST_NEW) {
error("Offending key for IP in %s:%lu",
ip_found->file, ip_found->line);
+ error(" remove with:");
+ error(" ssh-keygen -f '%s' -R '%s'",
+ ip_found->file, ip);
+ }
}
/* The host key has changed. */
warn_changed_key(host_key);
@@ -1088,6 +1092,8 @@
user_hostfiles[0]);
error("Offending %s key in %s:%lu", key_type(host_found->key),
host_found->file, host_found->line);
+ error(" remove with:");
+ error(" ssh-keygen -f '%s' -R '%s'", host_found->file, host);
/*
* If strict host key checking is in use, the user will have
Reply to: