1971 – ssh-keyscan should default to ecdsa or ecdsa,rsa

Bug 1971 - ssh-keyscan should default to ecdsa or ecdsa,rsa

Summary: ssh-keyscan should default to ecdsa or ecdsa,rsa

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-keyscan (show other bugs)
Version:	5.9p1
Hardware:	All All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_6_1
	Show dependency tree / graph

Reported:	2012-01-11 05:11 AEDT by jay
Modified:	2015-08-11 23:02 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jay 2012-01-11 05:11:12 AEDT

Now that ssh defaults to preferring ECDSA keys, ssh-keyscan should default to looking for them.  Otherwise, naively following the 5.7 release notes and doing a keyscan on all your hosts is WORSE than ignoring the release notes; you've just created RSA keys for all your hosts, and if you  ssh to any host for which you don't already have an ECDSA key, you'll get the confusing

Warning: the ECDSA host key for 'www.example.com' differs from the key for the IP address '10.1.2.3'

Comment 1 Damien Miller 2012-04-11 23:34:40 AEST

Fix applied - will be in OpenSSH 6.1

Comment 2 Damien Miller 2015-08-11 23:02:37 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1