On Thu, 3 Nov 2022, Mikolaj Kucharski wrote: > On Thu, Nov 03, 2022 at 07:06:48AM +0000, Mikolaj Kucharski wrote: > > Hi, > > > > I'm using below type of config for few years now. Today I've upgraded to: > > > > > > OpenBSD 7.2-current (GENERIC.MP) #823: Wed Nov 2 11:56:37 MDT 2022 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > > > and see following problem: > > > > > > $ ssh -vv pce-0035 > > OpenSSH_9.1, LibreSSL 3.6.0 > > debug1: Reading configuration data /home/mk1/.ssh/config > > debug1: /home/mk1/.ssh/config line 127: Applying options for pce-0035 > > debug1: /home/mk1/.ssh/config line 1527: Applying options for * > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug2: resolve_addr: could not resolve name [fde4:f456:48c2:13c0::cc35] as > > address: name or service is not known > > debug1: resolve_canonicalize: hostname [fde4:f456:48c2:13c0::cc35] is an > > unrecognised address > > debug1: Executing proxy command: exec ssh -q -W > > [fde4:f456:48c2:13c0::cc35]:22 ks2 > > ... > > debug1: load_hostkeys: fopen /home/mk1/.ssh/known_hosts2: No such file or > > directory > > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or > > directory > > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or > > directory > > debug1: check_host_key: invalid hostname "[fde4:f456:48c2:13c0::cc35]"; > > will not record: domain name "[fde4:f456:48c2:13c0::cc35]" starts with > > invalid character > > Host key verification failed. > > $ _ > > > > > > # ~/.ssh/config > > Host pce-0035 > > User root > > HostName [fde4:f456:48c2:13c0::cc35] > > ProxyCommand ssh -q -W %h:%p ks2 > > Host ks2 > > User root > > HostName ks2.example.com > > Host * > > AddressFamily any > > Protocol 2 > > ServerAliveInterval 120 > > ConnectionAttempts 3 > > ConnectTimeout 30 > > ForwardAgent no > > > > Reverting below helps with above: > > > commit 64416e996841f6651db1721672edf837c235712c > Author: djm <[email protected]> > Date: Mon Oct 24 22:43:36 2022 +0000 > > Be more paranoid with host/domain names coming from the resolver: > don't follow CNAMEs with invalid characters when canonicalising > and never write a name with bad characters to a known_hosts file. > > reported by David Leadbeater, ok deraadt@
I just committed something to relax this overly-strict check, but it still won't fix your config. This is because HostName [fde4:f456:48c2:13c0::cc35] doesn't actually work. E.g. $ ssh -oHostname=[::1] x ssh: Could not resolve hostname [::1]: no address associated with name It only worked in the context of your configuration because it was treated as a literal string and not an address. Changing your config to avoid this should be backwards-compatible: Host pce-0035 User root HostName fde4:f456:48c2:13c0::cc35 ProxyCommand ssh -q -W [%h]:%p ks2 or you could use ProxyJump -d
