Bug#857736: ssh-keyscan: hash does not include the port
Package: openssh-client
Version: 1:7.4p1-7
Severity: important
This was originally reported in
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1670745 and
https://bugzilla.mindrot.org/show_bug.cgi?id=2692. Here's the eventual
distilled report:
When running an ssh-keyscan with the -H option on a custom port the
port is not included in the hash and is in plain text. For example:
$ ssh-keyscan -H -p 2222 10.10.10.10
[|1|HASHED_IP]:2222 ssh-rsa MY_RSA_KEY
If however I run ssh-keygen without the -H and then come back with
ssh-keygen it will hash the port:
$ ssh-keyscan -p 2222 10.10.10.10 > ~/.ssh/authorized_keys
[10.10.10.10]:2222 ssh-rsa MY_RSA_KEY
$ ssh-keygen -H -f ~/.ssh/authorized_keys
$ cat ~/.ssh/authorized_keys
|1|HASHED_IP_AND_PORT ssh-rsa MY_RSA_KEY
Upstream said:
ssh-keyscan is in error here. It's supposed to include the port in
the hash as ssh and ssh-keygen do.
--
Colin Watson [cjwatson@debian.org]
Reply to: