ssh known_hosts in 10.1
Matthew Seaman
matthew at FreeBSD.org
Wed Feb 11 22:49:27 UTC 2015
On 11/02/2015 22:03, Eric van Gyzen wrote:
> I just updated my workstation from 10.0 to 10.1. Now, ssh is prompting
> me to accept host keys that I accepted long ago. ssh is looking for the
> host key in known_hosts using the name given on the command line; it
> previously used the FQDN. ssh-keygen -F confirms that known_hosts has
> the same key for the FQDN.
>
> If I recall correctly, using the FQDN in known_hosts was a FreeBSD
> customization. Did this get dropped during the OpenSSH update?
It's a different type of SSH key. The new default in 10.1 is to use
ECDSA keys (identified typically as ecdsa-sha2-nistp256 in known_hosts),
when available, and it's those that SSH is prompting you about. As
distinct from the DSA and RSA keys you'll have had in your known_hosts
for donkey's years.
You can suppress the prompts about new keys by adding appropriate SSHFP
records to your DNS, although you should be running with DNSSEC enabled
if you choose to do that.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20150211/56882696/attachment.sig>
More information about the freebsd-stable
mailing list