Bug 1006221 – command to remove outdated hostkey from known_hosts file wrong

Bug 1006221 - command to remove outdated hostkey from known_hosts file wrong


Summary:	command to remove outdated hostkey from known_hosts file wrong

Status:	RESOLVED WONTFIX

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Basesystem
Version:	Leap 42.2
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Petr Cerny
QA Contact:	E-mail List

URL:
Whiteboard:	maint:running:63339:moderate
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-10-21 14:43 UTC by Adam Spiers
Modified:	2020-05-12 17:55 UTC (History)
CC List:	0 users

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adam Spiers 2016-10-21 14:43:24 UTC

When a host with a non-default port is in the ~/.ssh/known_hosts file then the suggested command to remove it does not work.  For example, if known_hosts contains:

  [192.168.42.129]:2222 ssh-rsa ....

then connecting with an outdated hostkey gives something like:

  Offending ECDSA key in /home/user/.ssh/known_hosts:440
  You can use following command to remove all keys for this IP:
  ssh-keygen -R 192.168.42.129 -f /home/user/.ssh/known_hosts

but that command doesn't do the right thing; it removes the entry for the hostkey on the default port 22, not on port 2222.  The correct command to suggest would have been:

  ssh-keygen -R [192.168.42.129]:2222 -f /home/user/.ssh/known_hosts

This is a resubmission of the upstream bug:

  https://bugzilla.mindrot.org/show_bug.cgi?id=2169

which was rightly resolved as INVALID because the bug actually comes from a SUSE-specific patch:

  https://build.opensuse.org/package/view_file/openSUSE:Leap:42.2/openssh/openssh-7.2p2-host_ident.patch?expand=1

The original source can be viewed here:

  https://github.com/openssh/openssh-portable/blob/00df97ff68a49a756d4b977cd02283690f5dfa34/sshconnect.c#L1089

Comment 1 Petr Cerny 2016-10-24 12:57:56 UTC

I'm wondering whether we shouldn't get rid of this at all...

Comment 2 Adam Spiers 2016-10-24 14:08:02 UTC

It's a helpful UI enhancement, so why not fix it instead of get rid of it?

But it would be better if it was merged upstream ...

Comment 3 Petr Cerny 2016-10-25 11:20:25 UTC

It is, but producing a message depending on whether the port is standard 22 or something else will just inflate it. Mentioning the ssh-keygen(1) man page should be enough, imho.

Comment 4 Adam Spiers 2016-10-25 21:35:30 UTC

(In reply to Petr Cerny from comment #3)
> It is, but producing a message depending on whether the port is standard 22
> or something else will just inflate it.

It will inflate what?  It would hardly be a huge inflation to the source code.

> Mentioning the ssh-keygen(1) man page should be enough, imho.

Surely that's not as helpful as providing a command they can use directly via cut and paste?

Comment 5 Petr Cerny 2016-10-27 13:38:30 UTC

(In reply to Adam Spiers from comment #4)
> (In reply to Petr Cerny from comment #3)
> > It is, but producing a message depending on whether the port is standard 22
> > or something else will just inflate it.
> 
> It will inflate what?  It would hardly be a huge inflation to the source
> code.

I was afraid it would inflate the patch by adding reverse logic to ssh-keygen argument parsing. Fortunately it didn't turn out to be the case, so it will be fixed in the next MU.

> > Mentioning the ssh-keygen(1) man page should be enough, imho.
> 
> Surely that's not as helpful as providing a command they can use directly
> via cut and paste?

Yes, yet it also makes one more thing to think of when ssh-keygen behaviour changes, thus making it prone to rotting.

Comment 6 Adam Spiers 2016-11-01 12:47:15 UTC

(In reply to Petr Cerny from comment #5)
> (In reply to Adam Spiers from comment #4)
> > It will inflate what?  It would hardly be a huge inflation to the source
> > code.
> 
> I was afraid it would inflate the patch by adding reverse logic to
> ssh-keygen argument parsing.

Ah, OK.

> Fortunately it didn't turn out to be the case,
> so it will be fixed in the next MU.

Great, thanks!

> > > Mentioning the ssh-keygen(1) man page should be enough, imho.
> > 
> > Surely that's not as helpful as providing a command they can use directly
> > via cut and paste?
> 
> Yes, yet it also makes one more thing to think of when ssh-keygen behaviour
> changes, thus making it prone to rotting.

Yeah, that's true.  Hopefully low risk though :)

Comment 8 Swamp Workflow Management 2017-01-11 10:03:26 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-01-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63339

Comment 9 Swamp Workflow Management 2017-01-23 16:12:46 UTC

SUSE-SU-2017:0264-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370
CVE References: CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3
SUSE Linux Enterprise Server 12-SP2 (src):    openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3

Comment 10 Swamp Workflow Management 2017-01-31 18:09:09 UTC

openSUSE-SU-2017:0344-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370,1021626
CVE References: CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858
Sources used:
openSUSE Leap 42.2 (src):    openssh-7.2p2-9.1, openssh-askpass-gnome-7.2p2-9.1

Comment 11 Swamp Workflow Management 2017-03-03 20:10:56 UTC

SUSE-SU-2017:0603-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openssh-6.6p1-35.1, openssh-askpass-gnome-6.6p1-35.4
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openssh-6.6p1-35.1, openssh-askpass-gnome-6.6p1-35.4

Comment 12 Swamp Workflow Management 2017-03-06 14:08:17 UTC

SUSE-SU-2017:0607-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1

Comment 13 Swamp Workflow Management 2017-03-09 08:08:57 UTC

SUSE-SU-2017:0607-2: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1
SUSE Linux Enterprise Server 12-SP1 (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1

Comment 14 Swamp Workflow Management 2017-03-09 11:09:25 UTC

SUSE-SU-2017:0607-3: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1

Comment 15 Swamp Workflow Management 2017-03-13 14:23:09 UTC

openSUSE-SU-2017:0674-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
openSUSE Leap 42.1 (src):    openssh-6.6p1-17.1, openssh-askpass-gnome-6.6p1-17.1

Comment 17 Swamp Workflow Management 2017-06-23 13:12:09 UTC

SUSE-SU-2017:1661-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1005480,1005893,1006221,1016366,1016369
CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858
Sources used:
SUSE Linux Enterprise Server 11-SECURITY (src):    openssh-openssl1-6.6p1-18.1

Comment 18 Tomáš Chvátal 2018-04-17 13:47:49 UTC

This is automated batch bugzilla cleanup.

The openSUSE 42.2 changed to end-of-life (EOL [1]) status. As such
it is no longer maintained, which means that it will not receive any
further security or bug fix updates.
As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
openSUSE, or you can still observe it under openSUSE Leap 15.0, please
feel free to reopen this bug against that version (see the "Version"
component in the bug fields), or alternatively open
a new ticket.

Thank you for reporting this bug and we are sorry it could not be fixed
during the lifetime of the release.

[1] https://en.opensuse.org/Lifetime