Bug#810546: openssh-client: hostkey verification fails checking/matching HostKeyAlgorithm; misreports offending HostKey

To: 810546@bugs.debian.org
Subject: Bug#810546: openssh-client: hostkey verification fails checking/matching HostKeyAlgorithm; misreports offending HostKey
From: Felix Dreissig <f30@f30.me>
Date: Wed, 16 Aug 2017 23:22:12 +0200
Message-id: <[🔎] 4602C954-6363-41EA-86FE-5132C349827D@f30.me>
Reply-to: Felix Dreissig <f30@f30.me>, 810546@bugs.debian.org
References: <145236348084.23715.4356199285228861592.reportbug@paqi.semioptimal.net>

I can confirm this for openssh-client 1:7.4p1-10+deb9u1 on Stretch.
It also affects OpenSSH 7.4p1 on macOS, so I guess it really is an upstream
issue.

Furthermore, the ssh_config manpage says about `HostKeyAlgorithms`:

>    [...],
>    ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
>    ssh-ed25519,ssh-rsa
> 
> If hostkeys are known for the destination host then this default is
> modified to prefer their algorithms.

Reading this strictly, I assume "this default" only refers to the default value
stated before and the sentence does not apply with custom `HostKeyAlgorithms`.
There appears to be no option to also get the described behavior in that case.

Best regards,
Felix

Reply to:

Prev by Date: Processed (with 1 error): Add blockers for the openssl trans bug
Next by Date: Processed: #810546
Previous by thread: Processed (with 1 error): Add blockers for the openssl trans bug
Next by thread: Processed: #810546
Index(es):
- Date
- Thread