ssh known_hosts in 10.1
Eric van Gyzen
eric at vangyzen.net
Thu Feb 12 02:05:19 UTC 2015
On 2/11/15 5:49 PM, Matthew Seaman wrote:
> On 11/02/2015 22:03, Eric van Gyzen wrote:
>> I just updated my workstation from 10.0 to 10.1. Now, ssh is prompting
>> me to accept host keys that I accepted long ago. ssh is looking for the
>> host key in known_hosts using the name given on the command line; it
>> previously used the FQDN. ssh-keygen -F confirms that known_hosts has
>> the same key for the FQDN.
>>
>> If I recall correctly, using the FQDN in known_hosts was a FreeBSD
>> customization. Did this get dropped during the OpenSSH update?
> It's a different type of SSH key. The new default in 10.1 is to use
> ECDSA keys (identified typically as ecdsa-sha2-nistp256 in known_hosts),
> when available, and it's those that SSH is prompting you about. As
> distinct from the DSA and RSA keys you'll have had in your known_hosts
> for donkey's years.
I'm afraid that's not the case. I have scads of ECDSA keys in my
known_hosts file. Specifically, the hosts I'm connecting to already
have the exact same ECDSA key in known_hosts, with the only difference
being the host name (short versus FQDN).
ED25519 host keys were added in 10.1. Perhaps you're thinking of those?
> You can suppress the prompts about new keys by adding appropriate SSHFP
> records to your DNS, although you should be running with DNSSEC enabled
> if you choose to do that.
I would love to, but I'm only a user (luser?) in this environment, not
an admin.
Thanks for the reply,
Eric
More information about the freebsd-stable
mailing list