Re: ssh warning: the ED25519 host key for '' differs from the key for the IP address ''

Wed, 28 Oct 2020 17:17:48 -0700 

On Wed, 28 Oct 2020, Jeremie Courreges-Anglas wrote:

> On Wed, Oct 28 2020, Damien Miller <[email protected]> wrote:
> > On Mon, 26 Oct 2020, Jeremie Courreges-Anglas wrote:
> >
> >> On Fri, Oct 23 2020, Damien Miller <[email protected]> wrote:
> >> > On Fri, 23 Oct 2020, Jeremie Courreges-Anglas wrote:
> >> >
> >> >> 
> >> >> I upgraded my ports builder from snaps yesterday and I hit this when
> >> >> running cvs up:
> >
> > [big snip]
> >
> > I think I have replicated your problem. Can you roll your known_hosts
> > back to just the ecdsa-sha2-nistp256 keys, apply this patch and attempt
> > a few connections? You should see no more conflicts between IPv4/IPv6
> > addresses.
> 
> Here's a v6->v4 case which didn't improve.  I believe that the data
> provided below should help you reproduce the issue, if not there's
> something weird going on.  Feel free to send more patches my way.

Thanks - I think the following patch should fix it. If it doesn't
then can you please rerun your testing with some extra logging:

ssh -oLogVerbose=sshconnect.c:*,clientloop.c:*,hostfile.c:* ...

diff --git a/clientloop.c b/clientloop.c
index cda0845..2cbf6d1 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1878,13 +1878,20 @@ hostkeys_find(struct hostkey_foreach_line *l, void 
*_ctx)
                return 0;
        }
 
-       /* Record if address matched against a different hostname. */
-       if (ctx->ip_str != NULL && (l->match & HKF_MATCH_HOST) == 0 &&
-           strchr(l->hosts, ',') != NULL) {
-               ctx->other_name_seen = 1;
-               debug3_f("found address %s against different hostname at "
-                   "%s:%ld", ctx->ip_str, l->path, l->linenum);
-               return 0;
+       /* If CheckHostIP is enabled, then check for mismatched hostname/addr */
+       if (ctx->ip_str != NULL && strchr(l->hosts, ',') != NULL) {
+               if ((l->match & HKF_MATCH_HOST) == 0) {
+                       /* Record if address matched a different hostname. */
+                       ctx->other_name_seen = 1;
+                       debug3_f("found address %s against different hostname "
+                           "at %s:%ld", ctx->ip_str, l->path, l->linenum);
+                       return 0;
+               } else if ((l->match & HKF_MATCH_IP) == 0) {
+                       /* Record if hostname matched a different address. */
+                       ctx->other_name_seen = 1;
+                       debug3_f("found hostname %s against different address "
+                           "at %s:%ld", ctx->host_str, l->path, l->linenum);
+               }
        }
 
        /*
@@ -2277,7 +2284,7 @@ client_input_hostkeys(struct ssh *ssh)
                    ctx->ip_str ? ctx->ip_str : "(none)");
                if ((r = hostkeys_foreach(options.user_hostfiles[i],
                    hostkeys_find, ctx, ctx->host_str, ctx->ip_str,
-                   HKF_WANT_PARSE_KEY|HKF_WANT_MATCH)) != 0) {
+                   HKF_WANT_PARSE_KEY)) != 0) {
                        if (r == SSH_ERR_SYSTEM_ERROR && errno == ENOENT) {
                                debug_f("hostkeys file %s does not exist",
                                    options.user_hostfiles[i]);

Reply via email to