On Sep 23, 2014 6:44 PM, "Keith Lawson" <keith@nowhere.ca> wrote:
>
> On Tue, Sep 23, 2014 at 04:45:50PM -0400, shawn wilson wrote:
> > On Tue, Sep 23, 2014 at 10:20 AM, Keith Lawson <keith@nowhere.ca> wrote:
> > > Hello,
> > >
> > > I'm running jessie on my laptop and after doing a dist-upgrade yesterday I'm
> > > getting SSH host key errors for a bunch of servers I've been connecting to
> > > for years:
> > >
> >
> > IDK this has anything to do with the problem you're seeing (unless you
> > have something wacky with your ~/.ssh - like it symlinked to /etc/ssh
> > or something). So, I'll just go on the assumption that this is
> > coincidence...
> >
> > > The authenticity of host 'blah' can't be established.
> > > RSA key fingerprint is e8:08:db:b0:e7:38:57:d4:82:a8:a4:1c:42:f0:25:09.
> > > Are you sure you want to continue connecting (yes/no)?
> > >
> > > The host keys are in ~/.ssh/known_hosts and haven't changed on the server
> > > side. Looking at the openssl, openssh-server and openssh-client change logs
> > > I don't see anything that would explain this behavior. Is anyone aware of
> > > any changes in openssh-client in jessie that would cause certain server keys
> > > that were previously working to be invalid?
> > >
> >
> > The host keys are in known_hosts, but are the proper keys (the one you
> > listed above - see ssh-keygen -lf /etc/ssh/ssh/ssh_host_rsa_key.puh on
> > the server) listed there? Does your user own the file and is it mod
> > 660 or less? Are you logging into the server you think you are (did
> > you typo an ip in your ssh_config or is someone mitm you)?
> >
>
> Time stamps on the keys on the server haven't changed and the key fingerprint on the server matches what's getting offered to the client. I use aliases like "alias hostname='ssh keith@hostaname.com'" so typos are out of the question. Still stumped on what changed and when we're talking SSH keys that makes me nervous.
>
You didn't answer most of the above, so I'll just assume you've found that not to be an issue ... I guess the main way I debug SSH is to login out of band and look at both the client and server logs.
You're aware of ssh_config? And that you can define the username to use for an arbitrary hostname to connect to a real ip? Basically doing the same thing your aliases do (but better). If you're going to add functionality to SSH, do it with functions so you have better control of what happens to parameters.