Mention ssh-keygen in ssh fingerprint changed warning

Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2023-12-11

Patch-Name: mention-ssh-keygen-on-keychange.patch

1 files changed, 8 insertions, 1 deletions

diff --git a/sshconnect.c b/sshconnect.c
index 1d5bcc782..23f79ed2b 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1277,9 +1277,13 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
 			error("%s. This could either mean that", key_msg);
 			error("DNS SPOOFING is happening or the IP address for the host");
 			error("and its host key have changed at the same time.");
-			if (ip_status != HOST_NEW)
+			if (ip_status != HOST_NEW) {
 				error("Offending key for IP in %s:%lu",
 				    ip_found->file, ip_found->line);
+				error("  remove with:");
+				error("  ssh-keygen -f '%s' -R '%s'",
+				    ip_found->file, ip);
+			}
 		}
 		/* The host key has changed. */
 		warn_changed_key(host_key);
@@ -1291,6 +1295,9 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
 		error("Offending %s key in %s:%lu",
 		    sshkey_type(host_found->key),
 		    host_found->file, host_found->line);
+		error("  remove with:");
+		error("  ssh-keygen -f '%s' -R '%s'",
+		    host_found->file, host);
 
 		/*
 		 * If strict host key checking is in use, the user will have