Bug#857736: ssh-keyscan: hash does not include the port

To: submit@bugs.debian.org
Subject: Bug#857736: ssh-keyscan: hash does not include the port
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 14 Mar 2017 13:21:29 +0000
Message-id: <[🔎] 20170314132128.GS20455@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 857736@bugs.debian.org

Package: openssh-client
Version: 1:7.4p1-7
Severity: important

This was originally reported in
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1670745 and
https://bugzilla.mindrot.org/show_bug.cgi?id=2692.  Here's the eventual
distilled report:

  When running an ssh-keyscan with the -H option on a custom port the
  port is not included in the hash and is in plain text.  For example:
  $ ssh-keyscan -H -p 2222 10.10.10.10
  [|1|HASHED_IP]:2222 ssh-rsa MY_RSA_KEY

  If however I run ssh-keygen without the -H and then come back with
  ssh-keygen it will hash the port:
  $ ssh-keyscan -p 2222 10.10.10.10 > ~/.ssh/authorized_keys
  [10.10.10.10]:2222 ssh-rsa MY_RSA_KEY
  $ ssh-keygen -H -f ~/.ssh/authorized_keys
  $ cat ~/.ssh/authorized_keys
  |1|HASHED_IP_AND_PORT ssh-rsa MY_RSA_KEY

Upstream said:

  ssh-keyscan is in error here.  It's supposed to include the port in
  the hash as ssh and ssh-keygen do.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#857736: marked as done (ssh-keyscan: hash does not include the port)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: merging 856825 857677
Next by Date: Processing of openssh_7.4p1-8_source.changes
Previous by thread: Processed: merging 856825 857677
Next by thread: Bug#857736: marked as done (ssh-keyscan: hash does not include the port)
Index(es):
- Date
- Thread