Thanks for the bug report! Steps to reproduce:
$ lxc launch ubuntu-daily:xenial xenial # edit /etc/ssh/sshd_config and change port to 2222 # service ssh restart # ip a to note container IP # exit $ ssh-keyscan -H -p 2222 <container IP> The port will be in the output and not hashed as described in the report. The linked Github issue did state there is a workaround by getting the values unhashed and then hashing them in a second step. Not saying this is ideal, but it is a workaround: $ ssh-keyscan -p 2222 <container IP> $ ssh-keygen -H -f .ssh/authorized_keys && rm .ssh/authorized_keys.old Because the man page for ssh-keyscan clearly states that -H will include the hostnames and addres and makes no mention of port in the hash, I have filed a bug with openssh to get clarity on the expected behavior and if this should be fixed. ** Bug watch added: OpenSSH Portable Bugzilla #2692 https://bugzilla.mindrot.org/show_bug.cgi?id=2692 ** Also affects: openssh via https://bugzilla.mindrot.org/show_bug.cgi?id=2692 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1670745 Title: ssh-keyscan : bad host signature when using port option Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: New Bug description: When I use the port option with ssh-keygen, the result is not compatible with ssh known_host file format. UBUNTU VERSION : ================ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 BAD : ============ :~/.ssh$ cat /etc/issue Ubuntu 16.04.1 LTS \n \l :~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...] debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 # [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 debug1: Enabling compatibility mode for protocol 2.0 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha...@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY [|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= ==> we see the port number because it is not hashed ! GOOD : ============ rm ~/.ssh/known_hosts :~/$ ssh -p [...port...] [...snip...] The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established. ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts. [...snip...]@[...snip...]'s password: :~/$ !cat cat ~/.ssh/known_hosts |1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= |1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8= ==> we cannot see the port number as it is well hashed ! REMARKS : ============== Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651 It seems that ssh-keyscan version and open-ssh version differs : dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...] ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 It is very annoying because I am trying to manage hand installed VMs with Ansible. For that I want to automate SSH host keys storing in known_hosts database. And because of this bug I can't. (ansible KIKIN project in development). Thank you, BR, Gautier HUSSON. To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1670745/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
