[Bug 1006221] New: command to remove outdated hostkey from known_hosts file wrong
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Bug ID: 1006221 Summary: command to remove outdated hostkey from known_hosts file wrong Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: aspiers@suse.com QA Contact: qa-bugs@suse.de Found By: Development Blocker: --- When a host with a non-default port is in the ~/.ssh/known_hosts file then the suggested command to remove it does not work. For example, if known_hosts contains: [192.168.42.129]:2222 ssh-rsa .... then connecting with an outdated hostkey gives something like: Offending ECDSA key in /home/user/.ssh/known_hosts:440 You can use following command to remove all keys for this IP: ssh-keygen -R 192.168.42.129 -f /home/user/.ssh/known_hosts but that command doesn't do the right thing; it removes the entry for the hostkey on the default port 22, not on port 2222. The correct command to suggest would have been: ssh-keygen -R [192.168.42.129]:2222 -f /home/user/.ssh/known_hosts This is a resubmission of the upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2169 which was rightly resolved as INVALID because the bug actually comes from a SUSE-specific patch: https://build.opensuse.org/package/view_file/openSUSE:Leap:42.2/openssh/open... The original source can be viewed here: https://github.com/openssh/openssh-portable/blob/00df97ff68a49a756d4b977cd02... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |pcerny@suse.com |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c1 --- Comment #1 from Petr Cerny <pcerny@suse.com> --- I'm wondering whether we shouldn't get rid of this at all... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c2 --- Comment #2 from Adam Spiers <aspiers@suse.com> --- It's a helpful UI enhancement, so why not fix it instead of get rid of it? But it would be better if it was merged upstream ... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c3 --- Comment #3 from Petr Cerny <pcerny@suse.com> --- It is, but producing a message depending on whether the port is standard 22 or something else will just inflate it. Mentioning the ssh-keygen(1) man page should be enough, imho. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c4 --- Comment #4 from Adam Spiers <aspiers@suse.com> --- (In reply to Petr Cerny from comment #3)
It is, but producing a message depending on whether the port is standard 22 or something else will just inflate it.
It will inflate what? It would hardly be a huge inflation to the source code.
Mentioning the ssh-keygen(1) man page should be enough, imho.
Surely that's not as helpful as providing a command they can use directly via cut and paste? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c5 Petr Cerny <pcerny@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #5 from Petr Cerny <pcerny@suse.com> --- (In reply to Adam Spiers from comment #4)
(In reply to Petr Cerny from comment #3)
It is, but producing a message depending on whether the port is standard 22 or something else will just inflate it.
It will inflate what? It would hardly be a huge inflation to the source code.
I was afraid it would inflate the patch by adding reverse logic to ssh-keygen argument parsing. Fortunately it didn't turn out to be the case, so it will be fixed in the next MU.
Mentioning the ssh-keygen(1) man page should be enough, imho.
Surely that's not as helpful as providing a command they can use directly via cut and paste?
Yes, yet it also makes one more thing to think of when ssh-keygen behaviour changes, thus making it prone to rotting. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c6 --- Comment #6 from Adam Spiers <aspiers@suse.com> --- (In reply to Petr Cerny from comment #5)
(In reply to Adam Spiers from comment #4)
It will inflate what? It would hardly be a huge inflation to the source code.
I was afraid it would inflate the patch by adding reverse logic to ssh-keygen argument parsing.
Ah, OK.
Fortunately it didn't turn out to be the case, so it will be fixed in the next MU.
Great, thanks!
Mentioning the ssh-keygen(1) man page should be enough, imho.
Surely that's not as helpful as providing a command they can use directly via cut and paste?
Yes, yet it also makes one more thing to think of when ssh-keygen behaviour changes, thus making it prone to rotting.
Yeah, that's true. Hopefully low risk though :) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:3553:low | |ibs:running:3552:low | |ibs:running:3551:low -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3553:low |ibs:running:3553:low |ibs:running:3552:low |ibs:running:3552:low |ibs:running:3551:low |ibs:running:3551:low | |maint:running:63339:moderat | |e -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c8 --- Comment #8 from Swamp Workflow Management <swamp@suse.de> --- An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-01-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63339 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3553:low |ibs:running:3553:low |ibs:running:3552:low |ibs:running:3552:low |ibs:running:3551:low |ibs:running:3551:moderate |maint:running:63339:moderat |maint:running:63339:moderat |e |e -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c9 --- Comment #9 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2017:0264-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370 CVE References: CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3 SUSE Linux Enterprise Server 12-SP2 (src): openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3 SUSE Linux Enterprise Desktop 12-SP2 (src): openssh-7.2p2-66.1, openssh-askpass-gnome-7.2p2-66.3 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3553:low |ibs:running:3553:low |ibs:running:3552:low |ibs:running:3552:low |ibs:running:3551:moderate |maint:running:63339:moderat |maint:running:63339:moderat |e |e | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3553:low |ibs:running:3553:low |ibs:running:3552:low |ibs:running:3552:low |maint:running:63339:moderat |maint:running:63339:moderat |e |e obs:running:6306:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3553:low |ibs:running:3553:low |ibs:running:3552:low |ibs:running:3552:low |maint:running:63339:moderat |maint:running:63339:moderat |e obs:running:6306:moderate |e -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c10 --- Comment #10 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-SU-2017:0344-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370,1021626 CVE References: CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858 Sources used: openSUSE Leap 42.2 (src): openssh-7.2p2-9.1, openssh-askpass-gnome-7.2p2-9.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3553:low |ibs:running:3553:moderate |ibs:running:3552:low |ibs:running:3552:moderate |maint:running:63339:moderat |maint:running:63339:moderat |e |e -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c11 --- Comment #11 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2017:0603-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1005480,1005893,1006221,1016366,1016369 CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): openssh-6.6p1-35.1, openssh-askpass-gnome-6.6p1-35.4 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssh-6.6p1-35.1, openssh-askpass-gnome-6.6p1-35.4 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:3553:moderate |maint:running:63339:moderat |ibs:running:3552:moderate |e |maint:running:63339:moderat | |e | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c12 --- Comment #12 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2017:0607-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1005480,1005893,1006221,1016366,1016369 CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c13 --- Comment #13 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2017:0607-2: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1005480,1005893,1006221,1016366,1016369 CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1 SUSE Linux Enterprise Server 12-SP1 (src): openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c14 --- Comment #14 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2017:0607-3: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1005480,1005893,1006221,1016366,1016369 CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): openssh-6.6p1-54.7.1, openssh-askpass-gnome-6.6p1-54.7.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c15 --- Comment #15 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-SU-2017:0674-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1005480,1005893,1006221,1016366,1016369 CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858 Sources used: openSUSE Leap 42.1 (src): openssh-6.6p1-17.1, openssh-askpass-gnome-6.6p1-17.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:running:63339:moderat |maint:running:63339:moderat |e |e ibs:running:4887:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c17 --- Comment #17 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2017:1661-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1005480,1005893,1006221,1016366,1016369 CVE References: CVE-2016-10009,CVE-2016-10011,CVE-2016-8858 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openssh-openssl1-6.6p1-18.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:running:63339:moderat |maint:running:63339:moderat |e ibs:running:4887:moderate |e -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 http://bugzilla.suse.com/show_bug.cgi?id=1006221#c18 Tomáš Chvátal <tchvatal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |WONTFIX --- Comment #18 from Tomáš Chvátal <tchvatal@suse.com> --- This is automated batch bugzilla cleanup. The openSUSE 42.2 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE, or you can still observe it under openSUSE Leap 15.0, please feel free to reopen this bug against that version (see the "Version" component in the bug fields), or alternatively open a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1006221 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:running:63339:moderat |maint:running:63339:moderat |e |e maint:planned:update -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com