Bug#851734: marked as done (ssh-keygen: -H destroys already hashed known_hosts entries)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#851734: marked as done (ssh-keygen: -H destroys already hashed known_hosts entries)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 15 Mar 2017 12:36:13 +0000
Message-id: <[🔎] handler.851734.D851734.14895812669585.ackdone@bugs.debian.org>
References: <E1co88F-0009fQ-6W@fasolo.debian.org> <d292d166-39f4-c8e4-0830-7f252921f649@steiny.biz>

Your message dated Wed, 15 Mar 2017 12:34:23 +0000
with message-id <E1co88F-0009fQ-6W@fasolo.debian.org>
and subject line Bug#851734: fixed in openssh 1:7.4p1-8
has caused the Debian Bug report #851734,
regarding ssh-keygen: -H destroys already hashed known_hosts entries
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
851734: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851734
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh-keygen: -H destroys already hashed known_hosts entries
From: Maximilian Stein <m@steiny.biz>
Date: Wed, 18 Jan 2017 08:55:42 +0100
Message-id: <d292d166-39f4-c8e4-0830-7f252921f649@steiny.biz>

Package: openssh-client
Version: 1:7.4p1-5
Severity: normal

Dear Maintainer,

After having manually added a host to my known_hosts file, I wanted to
hash the new hostname. According to ssh-keygen(1),

    -H ... This option will not modify existing hashed hostnames and is
    therefore safe to use on files that mix hashed and non-hashed names.

So, I used `ssh-keygen -H` and was notified that all hostnames have been
hashed.

However, when I subsequently tried to access an old server (not the
newly added one), ssh asked me to verify its fingerprint. I compared the
new known_hosts file with the automatic backup and noticed that the
hashes of all 500+ entries in my known_hosts file had changed, so not
only -- as expected -- the single new one.

Workaround: put line in extra file, hash the hostname using `ssh-keygen
-H -f <file>` and append it to the actual known_hosts file afterwards.

Thank you!

Best,
Maximilian


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.115
ii  dpkg              1.18.18
ii  libc6             2.24-8
ii  libedit2          3.1-20160903-2
ii  libgssapi-krb5-2  1.15-1
ii  libselinux1       2.6-3
ii  libssl1.0.2       1.0.2j-4
ii  passwd            1:4.2-3.3
ii  zlib1g            1:1.2.8.dfsg-4

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
ii  keychain      2.8.2-0.1
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

To: 851734-close@bugs.debian.org
Subject: Bug#851734: fixed in openssh 1:7.4p1-8
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 15 Mar 2017 12:34:23 +0000
Message-id: <E1co88F-0009fQ-6W@fasolo.debian.org>

Source: openssh
Source-Version: 1:7.4p1-8

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851734@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Mar 2017 13:49:14 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.4p1-8
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 851734 857736
Changes:
 openssh (1:7.4p1-8) unstable; urgency=medium
 .
   * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
     already-hashed entries (closes: #851734, LP: #1668093).
   * Fix ssh-keyscan to correctly hash hosts with a port number (closes:
     #857736, LP: #1670745).
Checksums-Sha1:
 39ff4f5ade2af162d825bb0744d433bbd854467a 2956 openssh_7.4p1-8.dsc
 10c9a20ab0d5a9797962c8316fec51a811755f00 159876 openssh_7.4p1-8.debian.tar.xz
 c1a61d41a2064b92865d68f182a7ab4fb2305bc0 12584 openssh_7.4p1-8_source.buildinfo
Checksums-Sha256:
 d69a193af542b9ee3726b17dcc0bdfe3896b9b4938ca415e85eeb325e39d710a 2956 openssh_7.4p1-8.dsc
 42ff477cfd06dae58cb73f9c361618b97a32298ac2137b74714d6ce1842387a0 159876 openssh_7.4p1-8.debian.tar.xz
 6d32995ac8163dea5376e04362ffbb3c3d6ab0752d0ae10e4980ae5d041fdc02 12584 openssh_7.4p1-8_source.buildinfo
Files:
 7da33773624ab3d4a2ff67942ec27f46 2956 net standard openssh_7.4p1-8.dsc
 4e9dfc572a6d550d10c94a16cb50647f 159876 net standard openssh_7.4p1-8.debian.tar.xz
 3d0131d2ce84c6acd131e4b7fbf6485a 12584 net standard openssh_7.4p1-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAljJLswACgkQOTWH2X2G
UAvgew//U8s0SnVrzrzhQKUtOkaASWcZhY6WHaD/t8gHipqKmX3bARz+quA2NXxg
aK+u4UgnRNhdqoLM2F+qvYT/uZyjwiyv1x8bQF9nR4984vra/Mt6mjKbwexKVSvc
OJp28ZJ0Z9tVQa/X0oz2952it5rLXSp6MEc0bJNbZSWy5TRenZI6u12NcPdPfCCq
usL/sfgQFTY1OzyjPmMVY3vzxWEthCDzOD68rLsSSOoSrlC1UFtNfAKmWesfjGbu
ssReWZzKPQV21TVcm9Gqqo6Oe3RU1tHV7lN2UGtTHKRJJNjLEoPCBnjko3It369q
I2VHXt9kaLpFZn+lfqlh7ZnHVp27MGcAAAIJMcESaTab7w4OOmMZ8RMUuSHhY55m
0i4Y1Got7orDUOZCsfDGJtpWKrX4pGf8hcZejzE6yMKUDlwDPhVdVRYG/GqHnrhP
4wDQZ9xf/lTh1qLdRCRGoltT2u3pBYOpROxZNAtLZYnH2FKLuDntuuWQpXpoZLKN
wX5tlqbYVRSc8U9kFj4Ulso7A/sOjM0mrlDmVj26C8RcjJ9FbwZLysvIbU+KrTCl
tx016y1ti4ycZrzTGxZvQbWfkWIcXm+On0icaLfEa4Ylx/rhCckg7CAgYs+55xcH
Dq4b/srMlpDIg9tbdKoR7JMeayqUMQ4nAS4Z6j+7ITXQkDK+O/E=
=R6pB
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processing of openssh_7.4p1-8_source.changes
Next by Date: Bug#857736: marked as done (ssh-keyscan: hash does not include the port)
Previous by thread: Processing of openssh_7.4p1-8_source.changes
Next by thread: openssh_7.4p1-8_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread