Building and testing latest released upstream https://mirror.hs-esslingen.de/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz
autoreconf && ./configure && make -j 4 And Testing local ./ssh-keygen just built. To make sure lib dependencies are not the one that introduce this I built this on Trusty and Zesty after pulling in the "usual" build dependencies for openssh via "apt-get build-dep openssh". openssh-7.4p1$ ./ssh-keyscan 10.245.71.133 > ~/.ssh/known_hosts # 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 # 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 # 10.245.71.133:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 # Save the initial file with Hosts openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step1 # Check if keys are known (working) openssh-7.4p1$ ./ssh ubuntu@10.245.71.133 Permission denied (publickey). # Hash entries openssh-7.4p1$ ./ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames # Save the first round of hashes openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step2 # Check if keys are known (still working) openssh-7.4p1$ ./ssh ubuntu@10.245.71.133 Permission denied (publickey). # Re-hash breaking the content openssh-7.4p1$ ./ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames # Save the re-hashed file openssh-7.4p1$ cp ~/.ssh/known_hosts ~/.ssh/known_hosts-upstream-step3 # Show the error of hashes now being unknown openssh-7.4p1$ ./ssh ubuntu@10.245.71.133 The authenticity of host '10.245.71.133 (10.245.71.133)' can't be established. ECDSA key fingerprint is SHA256:AoKckr17ygqfpIfx94bRSHAzrnVQN6DfKsHR0hySjTM. Are you sure you want to continue connecting (yes/no)? The Test can be driven further, the following loop shows nothing on good systems (no diff after the first hashing), while on broken systems it does rehash (and therefore show diff) over and over again. for i in $(seq 1 20); do ssh-keygen -H; diff -Naur /root/.ssh/known_hosts.old /root/.ssh/known_hosts; done -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1668093 Title: ssh-keygen -H corrupts already hashed entries Status in openssh package in Ubuntu: Confirmed Bug description: xenial @ 1:7.2p2-4ubuntu2.1 on amd64 has this bug. trusty @ 1:6.6p1-2ubuntu2.8 on amd64 does not have this bug. I have not tested any other ssh versions. The following should reproduce the issue: #ssh-keyscan XXXX > ~/.ssh/known_hosts # ssh root@XXXXX Permission denied (publickey). # ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames # ssh root@XXXXXX Permission denied (publickey). # ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames # ssh root@XXXXX The authenticity of host 'XXXXXX' can't be established. RSA key fingerprint is XXXXXX. Are you sure you want to continue connecting (yes/no)? # diff known_hosts.old known_hosts 1c1 < |1|BoAbRpUE3F5AzyprJcbjdepeDh8=|x/1AcaLxh45FlShmVQnlgx2qjxY= XXXXX --- > |1|nTPsoLxCugQyZi3pqOa2pc/cX64=|bUH5qwZlZPp8msMGHdLtslf3Huk= XXXXX To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1668093/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
