Host key verification with multiple entries for the same server in known_hosts

Question

Host key verification with multiple entries for the same server in known_hosts

ragebiswas opened this issue 6 years ago · 4 comments

Hi,
Please correct me if I'm wrong, but it looks like SSHJ does not handle the case of the OpenSSH known_hosts file having multiple entries for the same server. This can end up in practice due to new keys (or even due to servers behind a load balancer perhaps).

The following code in OpenSSHKnownHosts:verify seems to be doing the verification:

  try {
        if (e.appliesTo(type, adjustedHostname))
           return e.verify(key) || hostKeyChangedAction(e, adjustedHostname, key);
        } catch (IOException ioe) {
           log.error("Error with {}: {}", e, ioe);
           return false;
  }

However, openssh itself seems to handle this by trying all keys that match the server, and validates if any of them match.

Am I missing something here? If the above diagnosis is correct, I'd be happy to submit a PR :)

Answer 1 · 2018-03-01T07:56:25.000Z

Seems like you're right, I missed that corner case!
Happy to accept a PR! Don't forget to add tests ;)

Answer 2 · 2018-03-02T14:57:11.000Z

What I'm wondering though, how does OpenSSH handle multiple keys of the same keyformat for the same host? Does it try all of the host entries?

Answer 3 · 2018-03-03T05:06:52.000Z

Yes, that's what it looked like from my experiments. I will submit a PR by next week (with test cases :-) )

Answer 4 · 2018-03-13T04:41:05.000Z

Hey @hierynomus - #406 is the PR. Please take a look whenever you get a chance :)