I recently upgraded my FreeBSD from 10.0 to 10.1.

I have ssh'd, sftp'd in and out of it during and since the upgrade without taking note of any unusual messages.

Today I needed to rsync a few things from the FreeBSD to another which I know has not been accessed since the upgrade and I got the following message:

I am sure that IP has not changed (both static IP), the hardware has not changed and both are on a wired LAN behind a router. There is in fact an ecdsa key entry for this machine in ~/.ssh/known-hosts. I also get the same message for a second user account between the same two machines.

I do not recall seeing this message for other hosts to which I have ssh'd since the upgrade (although I will admit that it is possible I did see it and continued past it during the upgrade, thereby resetting the key).

The particular machine for which I am seeing this message is a sensitive one, so while I think it very unlikely to have been compromised, I would like to try to satisfy myself that there is another reasonable reason for this.

I know that OpenSSH was updated during the upgrade, and have read in the release notes that the startup script now generates ED25519 host keys if they do not exist - but I am not sure I understand what that means and whether it could be the cause.

Does anyone know if an upgrade from 10.0 to 10.1 would likely result in such behavior, or can anyone offer suggestions on what or how to do to ease my concerns.

The error message says "no matching host key fingerprint found in DNS." It doesn't say that the key is unknown or changed, just that it cannot be found in DNS.

It would seem that recent versions of your SSH software supports RFC 4255, a (surprisingly old) standard that allows for the publishing of SSH keys in DNS using a special kind of DNS record, "SSHFP". Since you don't have this kind of DNS record for your host, you get a warning.

You can either create an SSHFP record for this host as per these instructions, or just ignore the warning.

2 members found this post helpful.

I have been reading this very thing since posting my question. It appears that I can disable the IP check to silence it, or simply answer yes and get on with life.

I am not an SSH guru, but I am a heavy SSH user and always like to understand when I see new things happen to remain in my comfort zone.

Thanks for the links and reassurance!

1 members found this post helpful.

By the way, your link is broken, includes a trailing double-quote...
This will get others to the page: RFC 4255

I am going to mark this as solved before I forget about it.

The problem is indeed the lack of fingerprint in DNS, not an invalid fingerprint.

The options are to create an SSHFP record as described in the link provided above, or to simply type "yes" and continue, which is what I ultimately did.

My concern was that the hosts involved had participated in SSH sessions both ways in the past, so the appearance of a new warning message after the FreeBSD host was updated, and apparently only for selected hosts, seemed odd.

My update from 10.0 to 10.1 and subsequent update of all ports occurred over several days, and I now think it is likely that I may have seen the message for the other hosts during the update as well and simply typed yes and forgot about it.

Either way, no compromise or errors or harm... so done.

Thanks to Ser Olmy for response.