Skip to content
This repository was archived by the owner on Jan 30, 2020. It is now read-only.

ssh: define the list of Key Algorithms of remote hosts before handshake #1529

Merged
tixxdz merged 1 commit into from
Apr 4, 2016
Merged

ssh: define the list of Key Algorithms of remote hosts before handshake #1529

tixxdz merged 1 commit into from
Apr 4, 2016

Conversation

@tixxdz
Copy link
Contributor

@tixxdz tixxdz commented Apr 1, 2016

Retrieve remote host Key Algorithms from known_host if they are there
and use them to perform ssh handshake. Otherwise fallback to default
values suggested by remote.

This patch is based from a previous patch written by:
kayrus [email protected]

Resolves #1526 and coreos/bugs#1186

crawford
crawford reviewed Apr 1, 2016
View reviewed changes
ssh/known_hosts.go
continue
}
ipAddr, err := kc.addrToHostPort(remoteIP.String())
if err != nil {
Copy link
Contributor

@crawford crawford Apr 1, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here?

ssh: define the list of Key Algorithms of remote hosts before handshake
d81fe84 
Retrieve remote host Key Algorithms from known_host if they are there
and use them to perform ssh handshake. Otherwise fallback to default
values suggested by remote.

This patch is based from a previous patch written by:
kayrus <[email protected]>

Resolves coreos#1526 and coreos/bugs#1186
@tixxdz tixxdz force-pushed the tixxdz/ssh_known_hosts_fixes branch from f3b1dc3 to d81fe84 Compare April 1, 2016 16:06
@crawford
Copy link
Contributor

crawford commented Apr 1, 2016

Without this patch:

$  bin/fleetctl --tunnel=ec2-54-153-17-9.us-west-1.compute.amazonaws.com list-machines
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
08:b1:9f:a2:50:55:72:1c:df:fa:ae:a1:13:ff:fe:30.
Please contact your system administrator.
Add correct host key in /home/alex/.fleetctl/known_hosts to get rid of this message.
Host key verification failed.
Unable to initialize client: failed initializing SSH client: ssh: handshake failed: host key mismatch

With the patch:

$ bin/fleetctl --tunnel=ec2-54-153-17-9.us-west-1.compute.amazonaws.com list-machines
MACHINE         IP              METADATA
bb926b38...     172.31.1.5      -

LGTM

@tixxdz
Copy link
Contributor Author

tixxdz commented Apr 2, 2016

@crawford @jonboulle @kayrus this seems to work and it is a high priority fix, If no one objects I'll merge it tonight. The code doesn't have side effects, on errors we return nil which the upstream ssh library will ignore and fallback to the old behaviour. Thanks!

@tixxdz tixxdz mentioned this pull request Apr 4, 2016
Closed
@tixxdz tixxdz merged commit 2957742 into coreos:master Apr 4, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tixxdz @crawford