ssh not reading specific ssh-keyscan entry inside .ssh/known_hosts?

Question

Strange problem.. I suspect a bug inside ssh-keyscan but maybe im wrong..

ssh-keyscan -H -t ecdsa host1,1.1.1.1 >> ~/.ssh/known_hosts

The command fetches howt1's fingerprint into known_hosts (hostname and IP appear hashed correctly), BUT... But when I ssh into host 1 using either the hostname or the ip, I get prompted to accept the public key of the host. Since I "already" have it in there, I consider this to be an error.

Edit: I should mention that if I don't hash the hostname and ip inside the known_hosts file (ssh-keyscan without the '-H' option) then everything works. (-H is documented in man ssh-keyscan)

Does anyone know how to fix this? or is this the way it's suppose to work for some odd reason?

Is it maybe because the entry inside known_hosts has both in it's hash and later when it compares the name or IP, it technically doesn't match since it's not "both" the ip and hostname being compared?

Last Edit: Cleaned thing up to make it simpler

Thanks in advance,
Marc

Answer 1

If you want to add hashed entries to your known_hosts file you should hash it first:

ssh-keygen -H

From man pages for ssh-keygen:

-H Hash a known_hosts file. This replaces all hostnames and addresses with hashed representations within the specified file; the original content is moved to a file with a .old suffix. These hashes may be used normally by ssh and sshd, but they do not reveal identifying information should the file's contents be disclosed. This option will not modify existing hashed hostnames and is therefore safe to use on files that mix hashed and non- hashed names.

Then you can add new entries to your known_hosts like this:

ssh-keyscan -Ht ecdsa [hostname],[IP address] >> known_hosts

And you should be done.