one/ssh at 200721cb8ac555df5ba847cc12a5cd95a0930575 - one

shaba/one

mirror of https://github.com/OpenNebula/one.git synced 2024-12-23 17:33:56 +03:00

History

Petr Ospalý 2c36183a21 B OpenNebula/one#4935: Fix hashed known_hosts (#8 ) This commit fixes problem when host key is already added in SSH `known_hosts` file but SSH fails to validate this host key. NOTE: This problem manifests only when simulating 'accept-new' feature of the newer SSH (>v7.6) via 'Match' with 'ssh-keygen -F'. The cause of this problem is the fact that hostname is stored always in lowercase even if the hostname had an upcase character. It means that the record in `known_hosts` file for hostname `ABC` becomes something like 'abc,10.0.0.10' - which in turn is hashed... Therefore SSH with `HashKnownHosts=yes` is comparing wrong hashes: hash('ABC,10.0.0.10') vs hash('abc,10.0.0.10') Most likely a bug or an oversight in SSH. With this option disabled (`HashKnownHosts=no`) both upcased `ABC` and lowercased `abc` work. Example with ENABLED `HashKnownHosts=yes`: [oneadmin@ABC ~] hostname ABC [oneadmin@ABC ~] rm -f ~/.ssh/known_hosts [oneadmin@ABC ~] ssh-keyscan -H $(hostname) >> ~/.ssh/known_hosts [oneadmin@ABC ~]$ ssh ABC # this fails No ECDSA host key is known for abc and you have requested strict checking. Host key verification failed. [oneadmin@ABC ~]$ ssh abc # this works Warning: Permanently added 'abc,10.10.0.41' (ECDSA) to the list of known hosts. Last login: Mon Jun 15 04:32:38 2020 from ::1 [oneadmin@ABC ~]$ # success with lowercase hostname Signed-off-by: Petr Ospalý <pospaly@opennebula.io>	2020-06-18 18:19:31 +02:00
..
bin	F #1473 : Update SSH config and sockets (#4733 )	2020-05-15 18:51:04 +02:00
etc	B OpenNebula/one#4935: Fix hashed known_hosts (#8 )	2020-06-18 18:19:31 +02:00

B OpenNebula/one#4935: Fix hashed known_hosts (#8 )

This commit fixes problem when host key is already added in SSH
`known_hosts` file but SSH fails to validate this host key.

NOTE:
This problem manifests only when simulating 'accept-new' feature of the
newer SSH (>v7.6) via 'Match' with 'ssh-keygen -F'.

The cause of this problem is the fact that hostname is stored always
in lowercase even if the hostname had an upcase character.

It means that the record in `known_hosts` file for hostname `ABC`
becomes something like 'abc,10.0.0.10' - which in turn is hashed...

Therefore SSH with `HashKnownHosts=yes` is comparing wrong hashes:
    hash('ABC,10.0.0.10') vs hash('abc,10.0.0.10')

Most likely a bug or an oversight in SSH.

With this option disabled (`HashKnownHosts=no`) both upcased `ABC`
and lowercased `abc` work.

Example with *ENABLED* `HashKnownHosts=yes`:

    [oneadmin@ABC ~] hostname
    ABC
    [oneadmin@ABC ~] rm -f ~/.ssh/known_hosts
    [oneadmin@ABC ~] ssh-keyscan -H $(hostname) >> ~/.ssh/known_hosts
    [oneadmin@ABC ~]$ ssh ABC # this fails
    No ECDSA host key is known for abc and you have requested strict
    checking.
    Host key verification failed.
    [oneadmin@ABC ~]$ ssh abc # this works
    Warning: Permanently added 'abc,10.10.0.41' (ECDSA) to the list
    of known hosts.
    Last login: Mon Jun 15 04:32:38 2020 from ::1
    [oneadmin@ABC ~]$ # success with lowercase hostname

Signed-off-by: Petr Ospalý <pospaly@opennebula.io>

2020-06-18 18:19:31 +02:00

bin

F #1473 : Update SSH config and sockets (#4733 )

2020-05-15 18:51:04 +02:00

etc

B OpenNebula/one#4935: Fix hashed known_hosts (#8 )

2020-06-18 18:19:31 +02:00