On Fri, Oct 23 2020, Damien Miller <d...@mindrot.org> wrote: > On Fri, 23 Oct 2020, Jeremie Courreges-Anglas wrote: > >> >> I upgraded my ports builder from snaps yesterday and I hit this when >> running cvs up: >> >> --8<-- >> russell ~$ ssh anon...@ftp.hostserver.de >> Warning: the ED25519 host key for 'ftp.hostserver.de' differs from the key >> for the IP address '2a00:15a8:0:100:d91f:5023:0:1' >> Offending key for IP in /home/jca/.ssh/known_hosts:2 >> Matching host key in /home/jca/.ssh/known_hosts:12 >> Are you sure you want to continue connecting (yes/no)? ^C >> russell ~$ grep -n -F -e ftp.hostserver.de -e 217.31.80.35 -e >> 2a00:15a8:0:100:d91f:5023:0:1 ~/.ssh/known_hosts >> 1:ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256 >> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= >> 2:2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256 >> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= >> 11:ftp.hostserver.de,217.31.80.35 ssh-rsa >> AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5 >> 12:ftp.hostserver.de,217.31.80.35 ssh-ed25519 >> AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL >> -->8-- >> >> I have "family inet6 inet4" on this machine, so IPv6 is tried first. >> >> On my laptop I hit the same issue with a dual-stack server of mine, both >> with ssh -4 and ssh -6 <server> (I can provide details if needed). >> >> After cvs up -D2020/10/03, ./ssh/obj/ssh doesn't spit the warning, it >> happens again with cvs up -D2020/10/04. >> >> cc'ing djm since this *looks* like fallout from the recent >> UpdateHostKeys changes. > > I think these were the problems that I fixed around 2020/10/14. If > you remove line 12 from your known_hosts and reconnect with a ssh > built after that then you should be fine.
Indeed I'm fine after removing line 12: --8<-- russell ~$ ssh -6 anon...@ftp.hostserver.de PTY allocation request failed on channel 0 To use anonymous CVS install the latest version of CVS on your local machine. Then set your CVSROOT environment variable to the following value: anon...@ftp.hostserver.de:/cvs -->8-- But if I later try to connect using IPv4: --8<-- russell ~$ ssh -4 anon...@ftp.hostserver.de Warning: the ED25519 host key for 'ftp.hostserver.de' differs from the key for the IP address '217.31.80.35' Offending key for IP in /home/jca/.ssh/known_hosts:11 Matching host key in /home/jca/.ssh/known_hosts:14 Are you sure you want to continue connecting (yes/no)? ^C russell ~$ I-search: russell ~$ grep -n -F -e ftp.hostserver.de -e 217.31.80.35 -e 2a00:15a8:0:100:d91f:5023:0:1 ~/.ssh/known_hosts 1:ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= 2:2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= 11:ftp.hostserver.de,217.31.80.35 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5 13:2a00:15a8:0:100:d91f:5023:0:1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5 14:ftp.hostserver.de,2a00:15a8:0:100:d91f:5023:0:1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL -->8-- All right, so let's start almost from scratch. Say I have only two entries in my known hosts file, for this very server. The host key is ecdsa-sha2-nistp256, which IIUC was the default until revision 1.333 date: 2020/10/03 04:15:06; author: djm; state: Exp; lines: +16 -13; commitid: glgM95wJWyZicjGj; prefer ed25519 signature algorithm variants to ECDSA; ok markus@ If I try to connect using v6, then v4: --8<-- russell ~$ cat ~/.ssh/known_hosts ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= 2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= russell ~$ ssh -6 anon...@ftp.hostserver.de PTY allocation request failed on channel 0 To use anonymous CVS install the latest version of CVS on your local machine. Then set your CVSROOT environment variable to the following value: anon...@ftp.hostserver.de:/cvs russell ~$ cat ~/.ssh/known_hosts ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= 2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= ftp.hostserver.de,2a00:15a8:0:100:d91f:5023:0:1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5 ftp.hostserver.de,2a00:15a8:0:100:d91f:5023:0:1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL russell ~$ ssh -4 anon...@ftp.hostserver.de Warning: the ED25519 host key for 'ftp.hostserver.de' differs from the key for the IP address '217.31.80.35' Offending key for IP in /home/jca/.ssh/known_hosts:1 Matching host key in /home/jca/.ssh/known_hosts:4 Are you sure you want to continue connecting (yes/no)? ^C -->8-- So there is a conflict between line 1 and line 4: 1 ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= 4 ftp.hostserver.de,2a00:15a8:0:100:d91f:5023:0:1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL Two different key types. Let's try to reverse the order and connect with v4 first: --8<-- russell ~$ cat ~/.ssh/known_hosts ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= 2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= russell ~$ ssh -4 anon...@ftp.hostserver.de PTY allocation request failed on channel 0 To use anonymous CVS install the latest version of CVS on your local machine. Then set your CVSROOT environment variable to the following value: anon...@ftp.hostserver.de:/cvs ^Crussell ~$ cat ~/.ssh/known_hosts ftp.hostserver.de,217.31.80.35 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= 2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= ftp.hostserver.de,217.31.80.35 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlCI96jPiGKnN07xj5ZhVPvo0gMo3TZOMtuf02afv9xm6+2vQlVqJThnavg3W0u6gaHV45MtldA/P4DaQbG50DPof9mJ3y1U2hbl+kU8tTfpVMC0WdXHbTpSmdkp5KVirFwZcubd2UFn8dXNtosULMahghvI2WzynLiO/hILzMrKE3J9LMG9mH2cbB3dAZ2KsHklQnrPb8xWhvaskcs3z94LgNyZbxF3uhOZBz019m5ba/DMjyoTLoNNNSRZ/Ur8JQIRSVzQPUwJ+AXCiZ8OoPF6RNmU9WjTFPt5K7dr4kOyZpDTBu103b2TUaJfiB/Gz2BNqyK11tLjLfXQO6Wez5 ftp.hostserver.de,217.31.80.35 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL russell ~$ ssh -6 anon...@ftp.hostserver.de Warning: the ED25519 host key for 'ftp.hostserver.de' differs from the key for the IP address '2a00:15a8:0:100:d91f:5023:0:1' Offending key for IP in /home/jca/.ssh/known_hosts:2 Matching host key in /home/jca/.ssh/known_hosts:4 Are you sure you want to continue connecting (yes/no)? ^C -->8-- Here's there's a conflict between line 2 and 4: 2 2a00:15a8:0:100:d91f:5023:0:1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF7jym1iJpFZfWWS+TTCGQv/CcVoFR4MVCR45YB6mmTL3V5bWwIQ8ggYGgbLcRV+M9VQL2zm0Nykw5HXbFXQ9D8= 4 ftp.hostserver.de,217.31.80.35 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtEuMXXJNl4whGkEOPWiq/XHgfzejdJvOKFL8S3kZDL Also two different key types, but the first line starts with just an <IPv6 address>, not a <hostname,IPv4 address> couple. Why would two different key types conflict? I did not try to look at the code, I just glanced over the recent commit messages (you probably know the whys and hows better than me). Sorry to reply three days later, I've been busy and this one proved puzzling. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE