I've done some investigation into this and I'm not sure that the description is quite accurate, at least not for my situation anyway.
Having just built a new server and ssh'd into it on a non-standard port with no problem I've done a bit of playing and found that the problem seems to present itself if there is already an entry in the known_hosts for the hostname that was setup with only an IPv4 connection. The fix for an individual situation is to remove the entry from known_hosts with: ssh-keygen -R [hostname]:port then reconnect and the appropriate entry will be added successfully. To reproduce the problem try this: - Rename your existing known_hosts file so you have a blank one but can return to the original when testing is complete. - Drop your network interface, disable the IPv6 (remove the config temporarily) and re-enable the interface. - ssh to a test host; this will place a suitable entry in the known_hosts file. - disconnect from the host. - Drop your network interface, re-enable IPv6 and re-enable the interface. - ssh to the same test host; this time you should get the error message that the ECDSA host key for IP address for the IP address is 'not in list of known hosts' There doesn't appear to be a problem the other way round, i.e. connecting with IPv6 to create the entry in known_hosts and then connecting with only IPv4. Further investigation reveals the reason for this. If you look at the known_hosts file that was created when you first connected during that test you will find two entries. Since it was initially empty both of these were created during the one connection. Since they are hashed you can't see what they were, but it makes sense that one is for the hostname and the other for the IP address. To confirm this try the following two commands: ssh-keygen -R [hostname]:port ssh-keygen -R [IPv4]:port Both entries should now have been removed. If you try connecting now (still having an empty known_hosts, but with the IPv6 enabled) you will again get two entries. This time however one of them will be for the IPv6 address. Again, to confirm this try the following two commands: ssh-keygen -R [hostname]:port ssh-keygen -R [IPv6]:port So the end result of this is that, when adding a host to the known_hosts using an IPv4 connection the code is happy to ignore the fact that there is already an entry for the hostname (and IPv6 address) and simply adds the IPv4 address as well. When adding a host using an IPv6 connection the fact that there is already an entry for the hostname and one for the IPv4 address causes the code prompting the addition of an entry to known_hosts to fail. Interestingly, if you only have the entry for the hostname in known_hosts (and none for any IP) you get the same error, but the matching IPv6 address is automatically added without prompt (whereas it fails to add an entry if the IPv4 address is in there). I would suggest that it makes sense for the error message to appear, but in both cases a prompt is required to make a change to the known_hosts file. It could be argued that this is a low security risk, but any automatic changes to known_hosts should be avoided on security grounds. PS. Remember to restore your known_hosts from the backup ;) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1271183 Title: ipv6 host key not added with non-default port To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1271183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
