Host key verification with multiple entries for the same server in known_hosts

[ragebiswas]

Hi,
Please correct me if I'm wrong, but it looks like SSHJ does not handle the case of the OpenSSH known_hosts file having multiple entries for the same server. This can end up in practice due to new keys (or even due to servers behind a load balancer perhaps).

The following code in OpenSSHKnownHosts:verify seems to be doing the verification:

  try {
        if (e.appliesTo(type, adjustedHostname))
           return e.verify(key) || hostKeyChangedAction(e, adjustedHostname, key);
        } catch (IOException ioe) {
           log.error("Error with {}: {}", e, ioe);
           return false;
  }

However, openssh itself seems to handle this by trying all keys that match the server, and validates if any of them match.

Am I missing something here? If the above diagnosis is correct, I'd be happy to submit a PR :)

[hierynomus]

Seems like you're right, I missed that corner case!
Happy to accept a PR! Don't forget to add tests ;)

[hierynomus]

What I'm wondering though, how does OpenSSH handle multiple keys of the same keyformat for the same host? Does it try all of the host entries?

[ragebiswas]

Yes, that's what it looked like from my experiments. I will submit a PR by next week (with test cases :-) )

[ragebiswas]

Hey @hierynomus - #406 is the PR. Please take a look whenever you get a chance :)