From d20bb6b1d2849b35b73b8be3459f50475e760c9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Ospal=C3=BD?= Date: Thu, 18 Jun 2020 18:19:31 +0200 Subject: [PATCH] B OpenNebula/one#4935: Fix hashed known_hosts (#8) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit fixes problem when host key is already added in SSH `known_hosts` file but SSH fails to validate this host key. NOTE: This problem manifests only when simulating 'accept-new' feature of the newer SSH (>v7.6) via 'Match' with 'ssh-keygen -F'. The cause of this problem is the fact that hostname is stored always in lowercase even if the hostname had an upcase character. It means that the record in `known_hosts` file for hostname `ABC` becomes something like 'abc,10.0.0.10' - which in turn is hashed... Therefore SSH with `HashKnownHosts=yes` is comparing wrong hashes: hash('ABC,10.0.0.10') vs hash('abc,10.0.0.10') Most likely a bug or an oversight in SSH. With this option disabled (`HashKnownHosts=no`) both upcased `ABC` and lowercased `abc` work. Example with *ENABLED* `HashKnownHosts=yes`: [oneadmin@ABC ~] hostname ABC [oneadmin@ABC ~] rm -f ~/.ssh/known_hosts [oneadmin@ABC ~] ssh-keyscan -H $(hostname) >> ~/.ssh/known_hosts [oneadmin@ABC ~]$ ssh ABC # this fails No ECDSA host key is known for abc and you have requested strict checking. Host key verification failed. [oneadmin@ABC ~]$ ssh abc # this works Warning: Permanently added 'abc,10.10.0.41' (ECDSA) to the list of known hosts. Last login: Mon Jun 15 04:32:38 2020 from ::1 [oneadmin@ABC ~]$ # success with lowercase hostname Signed-off-by: Petr OspalĂ˝ (cherry picked from commit 2c36183a21276a852fd8e42a632c6846aa87f469) --- share/ssh/etc/config-pre7.6 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/share/ssh/etc/config-pre7.6 b/share/ssh/etc/config-pre7.6 index acb0c52797..c4ad2cedbd 100644 --- a/share/ssh/etc/config-pre7.6 +++ b/share/ssh/etc/config-pre7.6 @@ -13,6 +13,7 @@ # if NOT, we expect this is the very first access and accept the key. # All further accesses already use strict host key checking. Match !exec "ssh-keygen -F %h 2>/dev/null || ssh-keygen -F %h -f /etc/ssh/ssh_known_hosts 2>/dev/null" + HashKnownHosts no StrictHostKeyChecking no ServerAliveInterval 10 ############################################################################# @@ -34,6 +35,7 @@ Match !exec "ssh-keygen -F %h 2>/dev/null || ssh-keygen -F %h -f /etc/ssh/ssh_kn ControlPath /run/one/ssh-socks/ctl-M-%C.sock Host * + HashKnownHosts no StrictHostKeyChecking yes ServerAliveInterval 10 # IMPORTANT: set the following 'Control*' options the same way as above