-
Notifications
You must be signed in to change notification settings - Fork 1.9k
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default SSH host key policy is insecure #2071
Comments
i found that adding this to my # monkeypatch the default fabric connexion to workaround
# https://github.com/fabric/fabric/issues/2071
logging.warning('Fabric Connection monkeypatched, will crash without a patch')
fabric.Connection = SaferConnection
fabric.connection.Connection = SaferConnection |
i ended up doing this in the short term: # hack to enforce a different key policy: https://github.com/fabric/fabric/issues/2071
def safe_open(self):
self.client.set_missing_host_key_policy(RejectPolicy())
Connection.open_orig(self)
Connection.open_orig = Connection.open
Connection.open = safe_open in the long term, i would much prefer if the policy was set to Warning or at least customizable somewhat. |
After some digging, I think this happens because when the connection is made, nothing ever calls paramiko's |
This removes the Fabric-specific host key policy which is to automatically accept new keys. I don't see why Fabric would do anything different than the default here at this stage, especially since we don't seem to be *loading* any keys, let alone saving them. This is a stopgap measure to fix fabric#2071
This has the following consequences: 1. the AutoAddPolicy starts to work correctly, as the `load_host_keys` call signals that it should save new fingerprints to the known_hosts file 2. it will also correctly *fail* if the fingerprint on a host changes, which was *not* the case before, as the known_hosts file was never loaded 3. it will correctly load the right `UserKnownHostsFile` according to the rules defined in the ssh configuration Regarding the last point, that is essential in my setup because I have a config block like this: Host *.example.com UserKnownHostsFile ~/.ssh/known_hosts.example.com ... which allows me to "group" known_hosts file and synchronize them from remote servers.
indeed, we are not loading any host keys at all, which makes i started working on this problem in #2072, maybe we can followup there. my approach is to:
that should be sufficient for my use case. |
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
This removes the Fabric-specific host key policy which is to automatically accept new keys. I don't see why Fabric would do anything different than the default here at this stage, especially since we don't seem to be *loading* any keys, let alone saving them. This is a stopgap measure to fix fabric#2071
This has the following consequences: 1. the AutoAddPolicy starts to work correctly, as the `load_host_keys` call signals that it should save new fingerprints to the known_hosts file 2. it will also correctly *fail* if the fingerprint on a host changes, which was *not* the case before, as the known_hosts file was never loaded 3. it will correctly load the right `UserKnownHostsFile` according to the rules defined in the ssh configuration Regarding the last point, that is essential in my setup because I have a config block like this: Host *.example.com UserKnownHostsFile ~/.ssh/known_hosts.example.com ... which allows me to "group" known_hosts file and synchronize them from remote servers.
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
This removes the Fabric-specific host key policy which is to automatically accept new keys. I don't see why Fabric would do anything different than the default here at this stage, especially since we don't seem to be *loading* any keys, let alone saving them. This is a stopgap measure to fix fabric#2071
This has the following consequences: 1. the AutoAddPolicy starts to work correctly, as the `load_host_keys` call signals that it should save new fingerprints to the known_hosts file 2. it will also correctly *fail* if the fingerprint on a host changes, which was *not* the case before, as the known_hosts file was never loaded 3. it will correctly load the right `UserKnownHostsFile` according to the rules defined in the ssh configuration Regarding the last point, that is essential in my setup because I have a config block like this: Host *.example.com UserKnownHostsFile ~/.ssh/known_hosts.example.com ... which allows me to "group" known_hosts file and synchronize them from remote servers.
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
This removes the Fabric-specific host key policy which is to automatically accept new keys. I don't see why Fabric would do anything different than the default here at this stage, especially since we don't seem to be *loading* any keys, let alone saving them. This is a stopgap measure to fix fabric#2071
This has the following consequences: 1. the AutoAddPolicy starts to work correctly, as the `load_host_keys` call signals that it should save new fingerprints to the known_hosts file 2. it will also correctly *fail* if the fingerprint on a host changes, which was *not* the case before, as the known_hosts file was never loaded 3. it will correctly load the right `UserKnownHostsFile` according to the rules defined in the ssh configuration Regarding the last point, that is essential in my setup because I have a config block like this: Host *.example.com UserKnownHostsFile ~/.ssh/known_hosts.example.com ... which allows me to "group" known_hosts file and synchronize them from remote servers.
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
Has there been any updates on this issue? Any plans for merging it? |
this is still a problem, latest is in #2076 |
This removes the Fabric-specific host key policy which is to automatically accept new keys. I don't see why Fabric would do anything different than the default here at this stage, especially since we don't seem to be *loading* any keys, let alone saving them. This is a stopgap measure to fix fabric#2071
This has the following consequences: 1. the AutoAddPolicy starts to work correctly, as the `load_host_keys` call signals that it should save new fingerprints to the known_hosts file 2. it will also correctly *fail* if the fingerprint on a host changes, which was *not* the case before, as the known_hosts file was never loaded 3. it will correctly load the right `UserKnownHostsFile` according to the rules defined in the ssh configuration Regarding the last point, that is essential in my setup because I have a config block like this: Host *.example.com UserKnownHostsFile ~/.ssh/known_hosts.example.com ... which allows me to "group" known_hosts file and synchronize them from remote servers.
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
This has the following consequences: 1. the AutoAddPolicy starts to work correctly, as the `load_host_keys` call signals that it should save new fingerprints to the known_hosts file 2. it will also correctly *fail* if the fingerprint on a host changes, which was *not* the case before, as the known_hosts file was never loaded 3. it will correctly load the right `UserKnownHostsFile` according to the rules defined in the ssh configuration Regarding the last point, that is essential in my setup because I have a config block like this: Host *.example.com UserKnownHostsFile ~/.ssh/known_hosts.example.com ... which allows me to "group" known_hosts file and synchronize them from remote servers.
This makes it easier to monkeypatch to earlier versions. With this patch, I can copy-paste the setup_ssh_client() function into my code and monkeypatch older fabric versions with: # hack to fix Fabric key policy: # fabric#2071 def safe_open(self): SaferConnection.setup_ssh_client(self) Connection.open_orig(self) class SaferConnection(Connection): # this function is a copy-paste from fabric#2072 def setup_ssh_client(self): # [...] Connection.open_orig = Connection.open Connection.open = safe_open This is otherwise a noop.
@bitprophet i'm sorry to ping you about this one, but it seems to me this is a capital one to fix. At the very least make the default policy warning! i made a more minimal change in #2280 to change the policy to at least we should be warning here... but I think |
I was quite surprised to find that code in Fabric's
Connection
class:This changes the default
connect
policy fromRejectPolicy()
toAutoAddPolicy
which means that a ssh connexion will not warn when an SSH key changes or on new keys. I find this behavior questionable, especially since it's actually very hard to change, because it's embedded deep inside Fabric (inside theConnection
constructor).I tried to monkeypatch this away in a a
prototype.py
but could not: make this work:for some weird reason, this crashes with:
It looks like the pre-py3
super()
call is causing problems here. I tried to fix that in cd004d4 but it seems it is a recurring problem in the code and, besides, it's hardly an intuitive way to make a change.Shouldn't the default here be safer? Maybe have a prompt like SSH does instead of just gobbling up any SSH key change? I understand if we would want to do TOFU and just trust unknown fingerprints, but from what I can tell, Fabric, by default, will trust any SSH server fingerprint whatsoever.
I find this terrifying.
The text was updated successfully, but these errors were encountered: