Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

ssh: define the list of Key Algorithms of remote hosts before handshake #1529

Merged
merged 1 commit into from
Apr 4, 2016
Merged

ssh: define the list of Key Algorithms of remote hosts before handshake #1529

merged 1 commit into from
Apr 4, 2016

Conversation

tixxdz
Copy link
Contributor

@tixxdz tixxdz commented Apr 1, 2016

Retrieve remote host Key Algorithms from known_host if they are there
and use them to perform ssh handshake. Otherwise fallback to default
values suggested by remote.

This patch is based from a previous patch written by:
kayrus kay.diam@gmail.com

Resolves #1526 and coreos/bugs#1186

crawford
crawford reviewed Apr 1, 2016
View reviewed changes
ssh/known_hosts.go
continue
}
ipAddr, err := kc.addrToHostPort(remoteIP.String())
if err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here?

ssh: define the list of Key Algorithms of remote hosts before handshake
d81fe84 
Retrieve remote host Key Algorithms from known_host if they are there
and use them to perform ssh handshake. Otherwise fallback to default
values suggested by remote.

This patch is based from a previous patch written by:
kayrus <kay.diam@gmail.com>

Resolves coreos#1526 and coreos/bugs#1186
@tixxdz tixxdz force-pushed the tixxdz/ssh_known_hosts_fixes branch from f3b1dc3 to d81fe84 Compare April 1, 2016 16:06
@crawford
Copy link
Contributor

crawford commented Apr 1, 2016

Without this patch:

$  bin/fleetctl --tunnel=ec2-54-153-17-9.us-west-1.compute.amazonaws.com list-machines
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
08:b1:9f:a2:50:55:72:1c:df:fa:ae:a1:13:ff:fe:30.
Please contact your system administrator.
Add correct host key in /home/alex/.fleetctl/known_hosts to get rid of this message.
Host key verification failed.
Unable to initialize client: failed initializing SSH client: ssh: handshake failed: host key mismatch

With the patch:

$ bin/fleetctl --tunnel=ec2-54-153-17-9.us-west-1.compute.amazonaws.com list-machines
MACHINE         IP              METADATA
bb926b38...     172.31.1.5      -

LGTM

@tixxdz
Copy link
Contributor Author

tixxdz commented Apr 2, 2016

@crawford @jonboulle @kayrus this seems to work and it is a high priority fix, If no one objects I'll merge it tonight. The code doesn't have side effects, on errors we return nil which the upstream ssh library will ignore and fallback to the old behaviour. Thanks!

@tixxdz tixxdz mentioned this pull request Apr 4, 2016
Closed
@tixxdz tixxdz merged commit 2957742 into coreos:master Apr 4, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tixxdz @crawford