-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curl ignores SSH_KNOWNHOSTS file #4953
Comments
In a discussion on the ML, @bagder suggested that the bug comes form Here are more information/tests:
|
ping @nmav, any immediate thoughts? |
None unfortunately. Maybe @ansasaki or @cryptomilk have a better understanding of the issue. |
I'll take a look. At first glance, I saw libcurl is using a deprecated API to check for known hosts ( |
@duboism Hello, could you try the patch I proposed on #4962? You'll need libssh >= 0.9.0 for the behaviour to be improved. But there is one more thing: libssh will append the entry to the know hosts file when You should change your callback to check if the entry should or not be appended to the file and return your decision accordingly. |
@ansasaki I have applied your patch against
If I understood correctly, the def accept_new_hosts(known_key, found_key, match):
print((known_key, found_key, match))
if match != pycurl.CURLKHMATCH_OK:
return pycurl.KHSTAT_FINE_ADD_TO_FILE
else:
return pycurl.KHSTAT_FINE With this setup, I have segmentation errors before |
I'm looking into it because I get segmentation faults even without my changes with this new calback. |
The segfault looks like a pycurl issue to me. It crashes in pycurl code, and goes away when I replace CURLKHMATCH_OK with the numerical equivalent, 0: if match != 0: It should probably be reported to the pycurl developers. The very welcome patch from @ansasaki removes deprecated libssh API use, and rectifies an old deficiency in that the "known key" was never previously supplied to the libcurl callback function. Ultimately that doesn't make a difference here though, as libssh was already correctly reading and verifying the key, and the result of that verification was also already passed along. That libssh, like OpenSSH, can accept and verify any of the host keys it understands is a great benefit actually. Most ssh servers have a variety of host keys configured, one each for Additionally, if your aim really is just to indiscriminately accept any host key without verification, you don't need this entire callback, host key saving dance. Set |
Sorry for the long delay I needed to finish some important stuff. For the record, I think that the segfault was because the corresponding constant in pycurl is To sum up:
|
I did this
I ran the following script several times:
I noticed that after each run the known hosts file (
/tmp/known_hosts
) get larger and the key is never found. For instance after 3 runs the file contains:I expected the following
I expected the key to be found after first run and the known host file to contain one key.
curl/libcurl version
operating system
The text was updated successfully, but these errors were encountered: