Public bug reported: When I use the port option with ssh-keygen, the result is not compatible with ssh known_host file format.
UBUNTU VERSION : ================ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 BAD : ============ :~/.ssh$ cat /etc/issue Ubuntu 16.04.1 LTS \n \l :~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...] debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 # [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 debug1: Enabling compatibility mode for protocol 2.0 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha...@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY [|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= ==> we see the port number because it is not hashed ! GOOD : ============ rm ~/.ssh/known_hosts :~/$ ssh -p [...port...] [...snip...] The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established. ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts. [...snip...]@[...snip...]'s password: :~/$ !cat cat ~/.ssh/known_hosts |1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= |1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= ==> we cannot see the port number as it is well hashed ! REMARKS : ============== Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651 It seems that ssh-keyscan version and open-ssh version differs : dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...] ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 It is very annoying because I am trying to manage hand installed VMs with Ansible. For that I want to automate SSH host keys storing in known_hosts database. And because of this bug I can't. (ansible KIKIN project in development). Thank you, BR, Gautier HUSSON. ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1670745 Title: ssh-keyscan : bad host signature when using port option Status in openssh package in Ubuntu: New Bug description: When I use the port option with ssh-keygen, the result is not compatible with ssh known_host file format. UBUNTU VERSION : ================ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 BAD : ============ :~/.ssh$ cat /etc/issue Ubuntu 16.04.1 LTS \n \l :~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...] debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 # [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 debug1: Enabling compatibility mode for protocol 2.0 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha...@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY [|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= ==> we see the port number because it is not hashed ! GOOD : ============ rm ~/.ssh/known_hosts :~/$ ssh -p [...port...] [...snip...] The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established. ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts. [...snip...]@[...snip...]'s password: :~/$ !cat cat ~/.ssh/known_hosts |1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= |1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= ==> we cannot see the port number as it is well hashed ! REMARKS : ============== Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651 It seems that ssh-keyscan version and open-ssh version differs : dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...] ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 It is very annoying because I am trying to manage hand installed VMs with Ansible. For that I want to automate SSH host keys storing in known_hosts database. And because of this bug I can't. (ansible KIKIN project in development). Thank you, BR, Gautier HUSSON. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1670745/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp