Cyberduck Mountain Duck CLI

#8867 closed defect (fixed)

Changed fingerprint prompt and duplicate ECDSA host key entries in ~/.ssh/known_hosts

Reported by: YesThatAllen Owned by: dkocher
Priority: normal Milestone: 5.1
Component: sftp Version: Nightly Build
Severity: normal Keywords: key
Cc: Architecture: Intel
Platform: Mac OS X 10.9

Description (last modified by dkocher)

I just upgraded to the latest snapshot, and still see this when connecting to hosts of mine

The fingerprint for the ECDSA key sent by the server is bc:d5:5d:36:a4:88:05:47:3d:8c:c0:a1:c2:79:5b:02.

I see this with many Ubuntu 14 VPS hosts which I connect to (not sure if they happen on CentOS hosts)

I do see new lines added to my known_hosts, often with the same signature

|1|9zJQi1kgtbav4hUbTpynNYrOMfk=|3iKfANR/mUwO+nnP30P80h9UPok= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABABPP3MOu9kj6PR4UaRTZ/2tt2G79lZ6E9vz6ijp8bkcuKoLTkY4K14NO2TWB53IWd6Jw8G+d2MmbL0+DCqZCiNQ==
|1|8VsGSG228W/EYlnCmbJTy8mhtuI=|I92YUz202+wnR29bC6pXyCQLRyM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABABPP3MOu9kj6PR4UaRTZ/2tt2G79lZ6E9vz6ijp8bkcuKoLTkY4K14NO2TWB53IWd6Jw8G+d2MmbL0+DCqZCiNQ==

I don't know that I have any fancy setup causing the IP addresses/hostname to be obscured, and wouldn't care if i didn't anymore but right now I'm getting stopped, having to say OK to the changed ECDSA key every time.

I'm not sure if/how this is different from related issues:

Attachments (1)

known_hosts (2.0 KB) - added by YesThatAllen on Jun 13, 2015 at 10:52:03 PM.
This is the known hosts related to the repro -June 13

Download all attachments as: .zip

Change History (21)

comment:1 Changed on Jun 7, 2015 at 7:39:00 PM by dkocher

  • Component changed from core to sftp
  • Description modified (diff)
  • Owner set to dkocher

comment:2 Changed on Jun 13, 2015 at 8:48:29 PM by dkocher

  • Status changed from new to assigned
  • Summary changed from Changed fingerprint - still on 4.8 to Changed fingerprint prompt and duplicate ECDSA host key entries in ~/.ssh/known_hosts

comment:3 in reply to: ↑ description Changed on Jun 13, 2015 at 8:54:36 PM by dkocher

Replying to YesThatAllen:

I don't know that I have any fancy setup causing the IP addresses/hostname to be obscured, and wouldn't care if i didn't anymore but right now I'm getting stopped, having to say OK to the changed ECDSA key every time.

Hostnames are written to the known_hosts file with hashed representation as this prevents identifying information from being disclosed from the known_hosts file. Refer to the ssh-keygen -H option.

comment:4 Changed on Jun 13, 2015 at 9:01:21 PM by dkocher

  • Resolution set to worksforme
  • Status changed from assigned to closed

Can you find any related output in the system.log (/Applications/Utilities/Console.app)? Please try if you can reproduce this error when moving aside the ~/.ssh/known_hosts file, starting from scratch with an empty configuration.

Changed on Jun 13, 2015 at 10:52:03 PM by YesThatAllen

This is the known hosts related to the repro -June 13

comment:5 Changed on Jun 13, 2015 at 10:52:27 PM by YesThatAllen

steps to repro on my 10.9.5 box running Cyberduck Version 4.8 (17722)

  • mv ~./ssh/known_hosts ~./ssh/known_hosts.sav
  • Connect to a saved cyberduck bookmark
  • accept the host key -check "always": |1|WLOvbk6OX0BaEO8BRlw1RkFyby8=|TfTJLD9oc1zu0DABUA4Z8MdaZ0g= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABABPP3MOu9kj6PR4UaRTZ/2tt2G79lZ6E9vz6ijp8bkcuKoLTkY4K14NO2TWB53IWd6Jw8G+d2MmbL0+DCqZCiNQ==
  • navigate around, open files using command-k, all is well.
  • disconnect
  • do other things.. use gitbox to connect to gihub, etc. (4 new lines are created in my known hosts file
  • reconnect to the initial host via the bookmark,
  • get prompted for the ssh host again.

see today's attached known_hosts file

Last edited on Jun 14, 2015 at 7:29:14 AM by dkocher (previous) (diff)

comment:6 Changed on Jun 14, 2015 at 7:27:17 AM by dkocher

  • Resolution worksforme deleted
  • Status changed from closed to reopened

comment:7 Changed on Jun 14, 2015 at 7:51:42 AM by dkocher

I tried to reproduce the issue following your steps (thanks for the detailed instructions!) but couldn't when connecting to an EC2 instance with ECDSA keys followed by connecting to a host with RSA keys. Can you let me know the hostname of TfTJLD9oc1zu0DABUA4Z8MdaZ0g=.

comment:8 Changed on Jun 15, 2015 at 3:08:17 AM by YesThatAllen

sure, it's www.watchmanmonitoring.com

comment:9 Changed on Jun 15, 2015 at 3:42:30 AM by YesThatAllen

I should add that I don't think my connections to other RSA hosts made a difference other than to give Cyberduck time to forget about the first key it saved.

it seems to doing the "math" wrong each new connection, not recognizing that the host was already saved.

comment:10 Changed on Jun 15, 2015 at 7:39:34 PM by dkocher

I can reproduce this issue when connecting to 173.230.133.218.

comment:11 follow-up: Changed on Jun 16, 2015 at 9:39:40 AM by dkocher

Add test in r17748.

comment:12 in reply to: ↑ 11 Changed on Jun 16, 2015 at 11:47:35 AM by dkocher

Replying to dkocher:

Add test in r17748.

The test is against OpenSSH_6.2 whereas 173.230.133.218 runs OpenSSH_6.6.1p1.

comment:13 Changed on Aug 24, 2015 at 9:54:25 AM by dkocher

Add test in r18032.

comment:14 Changed on Nov 4, 2015 at 2:42:46 PM by dkocher

#9092 closed as duplicate.

comment:15 Changed on Nov 17, 2015 at 3:40:24 PM by dkocher

Reference upstream #225

comment:16 Changed on Nov 20, 2015 at 11:00:41 AM by dkocher

  • Resolution set to fixed
  • Status changed from reopened to closed

In r18540.

comment:17 Changed on Feb 22, 2016 at 10:08:32 AM by dkocher

#9289 closed as duplicate.

comment:18 Changed on Feb 24, 2016 at 8:42:12 PM by dkocher

#9297 closed as duplicate.

comment:19 Changed on Aug 24, 2016 at 9:09:33 AM by dkocher

  • Milestone changed from 4.8 to 5.1

In r21313.

comment:20 Changed on Oct 18, 2016 at 3:18:03 PM by dkocher

#9481 closed as duplicate.

Note: See TracTickets for help on using tickets.
swiss made software