shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-01-10 01:17:40 +03:00
Code Releases Wiki Activity

B OpenNebula/one#4935: Fix hashed known_hosts (#8)

Browse Source 
This commit fixes problem when host key is already added in SSH
`known_hosts` file but SSH fails to validate this host key.

NOTE:
This problem manifests only when simulating 'accept-new' feature of the
newer SSH (>v7.6) via 'Match' with 'ssh-keygen -F'.

The cause of this problem is the fact that hostname is stored always
in lowercase even if the hostname had an upcase character.

It means that the record in `known_hosts` file for hostname `ABC`
becomes something like 'abc,10.0.0.10' - which in turn is hashed...

Therefore SSH with `HashKnownHosts=yes` is comparing wrong hashes:
    hash('ABC,10.0.0.10') vs hash('abc,10.0.0.10')

Most likely a bug or an oversight in SSH.

With this option disabled (`HashKnownHosts=no`) both upcased `ABC`
and lowercased `abc` work.

Example with *ENABLED* `HashKnownHosts=yes`:

    [oneadmin@ABC ~] hostname
    ABC
    [oneadmin@ABC ~] rm -f ~/.ssh/known_hosts
    [oneadmin@ABC ~] ssh-keyscan -H $(hostname) >> ~/.ssh/known_hosts
    [oneadmin@ABC ~]$ ssh ABC # this fails
    No ECDSA host key is known for abc and you have requested strict
    checking.
    Host key verification failed.
    [oneadmin@ABC ~]$ ssh abc # this works
    Warning: Permanently added 'abc,10.10.0.41' (ECDSA) to the list
    of known hosts.
    Last login: Mon Jun 15 04:32:38 2020 from ::1
    [oneadmin@ABC ~]$ # success with lowercase hostname

Signed-off-by: Petr Ospalý <pospaly@opennebula.io>
This commit is contained in:
Petr Ospalý 2020-06-18 18:19:31 +02:00 committed by GitHub
parent 119c144f87
commit 2c36183a21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
share/ssh/etc/config-pre7.6
View File

@ -13,6 +13,7 @@
# if NOT, we expect this is the very first access and accept the key.
# All further accesses already use strict host key checking.
Match !exec "ssh-keygen -F %h 2>/dev/null || ssh-keygen -F %h -f /etc/ssh/ssh_known_hosts 2>/dev/null"
HashKnownHosts no
StrictHostKeyChecking no
ServerAliveInterval 10
#############################################################################
@ -34,6 +35,7 @@ Match !exec "ssh-keygen -F %h 2>/dev/null || ssh-keygen -F %h -f /etc/ssh/ssh_kn
ControlPath /run/one/ssh-socks/ctl-M-%C.sock
Host *
HashKnownHosts no
StrictHostKeyChecking yes
ServerAliveInterval 10
# IMPORTANT: set the following 'Control*' options the same way as above