Issue #21811 has been updated by Charlie Sharpsteen. Status changed from Unreviewed to Needs More Information Assignee set to Mark Ruys
The generated host key entry appears to match the format described by the "SSH_KNOWN_HOSTS FILE FORMAT" section of [the sshd man page](http://linux.die.net/man/8/sshd). The entries that are being created by ssh are using the "hashed form" for hostnames. I suspect what is happening is that your ssh commend is not using an address that matches either the resource name or one of the host_aliases that you have provided. For example, if I define the following resource for the bitbucket.org key: <pre> sshkey { 'bitbucket.org': ensure => 'present', type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQ RGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSq nMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==' } </pre> I get the following `/etc/ssh/known_hosts` file: <pre> # HEADER: This file was autogenerated at Wed Jul 17 17:37:23 +0000 2013 # HEADER: by puppet. While it can still be managed manually, it # HEADER: is definitely not recommended. bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== </pre> Testing the connection, I see that the `bitbucket.org` address get resolved to 131.103.20.168 which is automatically added to the known_hosts file: <pre> ssh [email protected] Warning: Permanently added the RSA host key for IP address '131.103.20.168' to the list of known hosts. PTY allocation request failed on channel 0 conq: authenticated via a deploy key. You can use git or hg to connect to Bitbucket. Shell access is disabled. Connection to bitbucket.org closed. </pre> However, if I try connecting directly to 131.103.20.168, I get asked to confirm the host identity: <pre> # ssh [email protected] The authenticity of host '131.103.20.168 (131.103.20.168)' can't be established. RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '131.103.20.168' (RSA) to the list of known hosts. PTY allocation request failed on channel 0 conq: authenticated via a deploy key. You can use git or hg to connect to Bitbucket. Shell access is disabled. Connection to 131.103.20.168 closed. </pre> Are your ssh commands using a different address than the resource name or host_aliases defined in the sshkey? ---------------------------------------- Bug #21811: Wrong format /etc/ssh/ssh_known_hosts for ecdsa-sha2-nistp256 keys https://projects.puppetlabs.com/issues/21811#change-94985 * Author: Mark Ruys * Status: Needs More Information * Priority: Normal * Assignee: Mark Ruys * Category: ssh * Target version: * Affected Puppet version: 3.2.2 * Keywords: ssh * Branch: ---------------------------------------- When I apply: sshkey { "${fqdn}_ecdsa-sha2-nistp256": host_aliases => [ "$fqdn", "$hostname", "$ipaddress" ], type => ecdsa-sha2-nistp256, key => $sshecdsakey, } the generated line is: app01.cluster.peercode.nl_ecdsa-sha2-nistp256,app01.cluster.peercode.nl,app01,10.243.0.61 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDe0Ij3EUAUuZd3PRAUWSQk/Rc/uJQEQNnIlfFC9VPCPw8HRHr/ZBYBKwt/ucskE9+9NUVpNcEtSSZD7kiBQdoM= This is not accepted by ssh, as it still ask to confirm the host identity. It then inserts into ~/.ssh/know_hosts two lines: |1|nKfBJdWYK8pcfw5uYDFbEjwinek=|i4xCR6M97ohkW2QX2EP4x6BrGOI= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDe0Ij3EUAUuZd3PRAUWSQk/Rc/uJQEQNnIlfFC9VPCPw8HRHr/ZBYBKwt/ucskE9+9NUVpNcEtSSZD7kiBQdoM= |1|AFKXXOXTMqb3s7xFZjIXMhLFgvw=|7Tj2HonmX9r//yTA0wm/tAcYXPw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDe0Ij3EUAUuZd3PRAUWSQk/Rc/uJQEQNnIlfFC9VPCPw8HRHr/ZBYBKwt/ucskE9+9NUVpNcEtSSZD7kiBQdoM= Ubuntu 12.04 OpenSSH 5.9 -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
