On Fri, Oct 23 2020, Damien Miller <d...@mindrot.org> wrote:
> On Fri, 23 Oct 2020, Jeremie Courreges-Anglas wrote:
>
>>
>> I upgraded my ports builder from snaps yesterday and I hit this when
>> running cvs up:
>>
>> --8<--
>> russell ~$ ssh anon...@ftp.hostserver.de
>> Warning: the ED25519 host key for 'ftp.hostserver.de' differs from the key
>> for the IP address '2a00:15a8:0:100:d91f:5023:0:1'
>> Offending key for IP in /home/jca/.ssh/known_hosts:2
>> Matching host key in /home/jca/.ssh/known_hosts:12
>> Are you sure you want to continue connecting (yes/no)? ^C
>> russell ~$ grep -n -F -e ftp.hostserver.de -e 217.31.80.35 -e
>> 2a00:15a8:0:100:d91f:5023:0:1 ~/.ssh/known_hosts
>> 1:ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256
>> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
>> 2:2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256
>> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
>> 11:ftp.hostserver.de,217.31.80.35 ssh-rsa
>> AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5
>> 12:ftp.hostserver.de,217.31.80.35 ssh-ed25519
>> AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL
>> -->8--
>>
>> I have "family inet6 inet4" on this machine, so IPv6 is tried first.
>>
>> On my laptop I hit the same issue with a dual-stack server of mine, both
>> with ssh -4 and ssh -6 <server> (I can provide details if needed).
>>
>> After cvs up -D2020/10/03, ./ssh/obj/ssh doesn't spit the warning, it
>> happens again with cvs up -D2020/10/04.
>>
>> cc'ing djm since this *looks* like fallout from the recent
>> UpdateHostKeys changes.
>
> I think these were the problems that I fixed around 2020/10/14. If
> you remove line 12 from your known_hosts and reconnect with a ssh
> built after that then you should be fine.
Indeed I'm fine after removing line 12:
--8<--
russell ~$ ssh -6 anon...@ftp.hostserver.de
PTY allocation request failed on channel 0
To use anonymous CVS install the latest version of CVS on your local machine.
Then set your CVSROOT environment variable to the following value:
anon...@ftp.hostserver.de:/cvs
-->8--
But if I later try to connect using IPv4:
--8<--
russell ~$ ssh -4 anon...@ftp.hostserver.de
Warning: the ED25519 host key for 'ftp.hostserver.de' differs from the key for
the IP address '217.31.80.35'
Offending key for IP in /home/jca/.ssh/known_hosts:11
Matching host key in /home/jca/.ssh/known_hosts:14
Are you sure you want to continue connecting (yes/no)? ^C
russell ~$
I-search:
russell ~$ grep -n -F -e ftp.hostserver.de -e 217.31.80.35 -e
2a00:15a8:0:100:d91f:5023:0:1 ~/.ssh/known_hosts
1:ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
2:2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
11:ftp.hostserver.de,217.31.80.35 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5
13:2a00:15a8:0:100:d91f:5023:0:1 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5
14:ftp.hostserver.de,2a00:15a8:0:100:d91f:5023:0:1 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL
-->8--
All right, so let's start almost from scratch. Say I have only two
entries in my known hosts file, for this very server. The host key is
ecdsa-sha2-nistp256, which IIUC was the default until
revision 1.333
date: 2020/10/03 04:15:06; author: djm; state: Exp; lines: +16 -13;
commitid: glgM95wJWyZicjGj;
prefer ed25519 signature algorithm variants to ECDSA; ok markus@
If I try to connect using v6, then v4:
--8<--
russell ~$ cat ~/.ssh/known_hosts
ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
russell ~$ ssh -6 anon...@ftp.hostserver.de
PTY allocation request failed on channel 0
To use anonymous CVS install the latest version of CVS on your local machine.
Then set your CVSROOT environment variable to the following value:
anon...@ftp.hostserver.de:/cvs
russell ~$ cat ~/.ssh/known_hosts
ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
ftp.hostserver.de,2a00:15a8:0:100:d91f:5023:0:1 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5
ftp.hostserver.de,2a00:15a8:0:100:d91f:5023:0:1 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL
russell ~$ ssh -4 anon...@ftp.hostserver.de
Warning: the ED25519 host key for 'ftp.hostserver.de' differs from the key for
the IP address '217.31.80.35'
Offending key for IP in /home/jca/.ssh/known_hosts:1
Matching host key in /home/jca/.ssh/known_hosts:4
Are you sure you want to continue connecting (yes/no)? ^C
-->8--
So there is a conflict between line 1 and line 4:
1 ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
4 ftp.hostserver.de,2a00:15a8:0:100:d91f:5023:0:1 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL
Two different key types. Let's try to reverse the order and connect with v4
first:
--8<--
russell ~$ cat ~/.ssh/known_hosts
ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
russell ~$ ssh -4 anon...@ftp.hostserver.de
PTY allocation request failed on channel 0
To use anonymous CVS install the latest version of CVS on your local machine.
Then set your CVSROOT environment variable to the following value:
anon...@ftp.hostserver.de:/cvs
^Crussell ~$ cat ~/.ssh/known_hosts
ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
ftp.hostserver.de,217.31.80.35 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5
ftp.hostserver.de,217.31.80.35 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL
russell ~$ ssh -6 anon...@ftp.hostserver.de
Warning: the ED25519 host key for 'ftp.hostserver.de' differs from the key for
the IP address '2a00:15a8:0:100:d91f:5023:0:1'
Offending key for IP in /home/jca/.ssh/known_hosts:2
Matching host key in /home/jca/.ssh/known_hosts:4
Are you sure you want to continue connecting (yes/no)? ^C
-->8--
Here's there's a conflict between line 2 and 4:
2 2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8=
4 ftp.hostserver.de,217.31.80.35 ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL
Also two different key types, but the first line starts with just an
<IPv6 address>, not a <hostname,IPv4 address> couple. Why would two
different key types conflict?
I did not try to look at the code, I just glanced over the recent commit
messages (you probably know the whys and hows better than me).
Sorry to reply three days later, I've been busy and this one proved puzzling.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
