Package: openssh-client Version: 1:7.4p1-7 Severity: important This was originally reported in https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1670745 and https://bugzilla.mindrot.org/show_bug.cgi?id=2692. Here's the eventual distilled report:
When running an ssh-keyscan with the -H option on a custom port the port is not included in the hash and is in plain text. For example: $ ssh-keyscan -H -p 2222 10.10.10.10 [|1|HASHED_IP]:2222 ssh-rsa MY_RSA_KEY If however I run ssh-keygen without the -H and then come back with ssh-keygen it will hash the port: $ ssh-keyscan -p 2222 10.10.10.10 > ~/.ssh/authorized_keys [10.10.10.10]:2222 ssh-rsa MY_RSA_KEY $ ssh-keygen -H -f ~/.ssh/authorized_keys $ cat ~/.ssh/authorized_keys |1|HASHED_IP_AND_PORT ssh-rsa MY_RSA_KEY Upstream said: ssh-keyscan is in error here. It's supposed to include the port in the hash as ssh and ssh-keygen do. -- Colin Watson [cjwat...@debian.org]
