x/crypto/ssh/knownhosts: incorrect parsing of known_hosts for ipv6 #53463
Comments
mdlayher
changed the title
cagedmantis
added
the
NeedsInvestigation
|
//cc @FiloSottile @golang/security |
|
From https://man.openbsd.org/sshd.8:
So if the IP is enclosed with brackets |
|
For anyone who needs a quick work-around for writing ipv6 entries to known_hosts files, package github.com/skeema/knownhosts@v1.2.0 now includes patched versions of github.com/skeema/knownhosts is a thin wrapper around x/crypto/ssh/knownhosts, rather than a fork. It's battle-tested and adds several improvements not found in x/crypto/ssh/knownhosts. It's designed to be a nearly-drop-in replacement; you'll just need to cast back to |
1. When using the bracketed syntax, the port is mandatory, even if it's the default one. Otherwise, OpenSSH rejects it with: "address [abcd:abcd:abcd:abcd]: missing port in address". See sshd(8): SSH_KNOWN_HOSTS FILE FORMAT. 2. Brackets are not necessary when using the default port, even for IPv6 addresses. Fixes golang/go#53463
1. When using the bracketed syntax, the port is mandatory, even if it's the default one. Otherwise, OpenSSH rejects it with: "address [abcd:abcd:abcd:abcd]: missing port in address". See sshd(8): SSH_KNOWN_HOSTS FILE FORMAT. 2. Brackets are not necessary when using the default port, even for IPv6 addresses. Fixes golang/go#53463
|
Change https://go.dev/cl/522255 mentions this issue: |
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env)?go envOutputWhat did you do?
package main import ( "fmt" "net" "golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh/knownhosts" ) func main() { hostKeyCallback, err := knownhosts.New("/home/samir/.ssh/known_hosts") if err != nil { fmt.Println(err) return } config := &ssh.ClientConfig{ User: "test", Auth: []ssh.AuthMethod{ssh.Password("test")}, HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error { addr := []string{hostname} line := knownhosts.Line(addr, key) fmt.Println(line) return hostKeyCallback(hostname, remote, key) }, } _, err = ssh.Dial("tcp", "[2001:3984:3989::10]:22", config) if err != nil { fmt.Println(err) return } }When running the above script, the line
line := knownhosts.Line(addr, key)prints the following:(The xyz is a just a placeholder)
which I add to
/home/samir/.ssh/known_hosts. I get the messagessh: handshake failed: knownhosts: key is unknownas well, which is expected.What did you expect to see?
On the second re-run (with my hostkey added to known_hosts), I expect the connection to be established.
What did you see instead?
I see:
If I add the
:22port to the IP, it works (this shouldn't work though, since it's the default port, should only work when port != 22):And it works if I remove the brackets (this is the correct way and how ssh works):
The method
LinesaysLine returns a line to add append to the known_hosts files., but the methodNewdoesn't support parsing theknown_hostsfile without a port number when brackets[]are used.So it should be:
port == 22returnabcd:abcd:abcd:abcdport != 22return[abcd:abcd:abcd:abcd]:33port == 22return127.0.0.1port != 22return[127.0.0.1]:33I think the Normalize function is the culprit in some of the errors:
https://cs.opensource.google/go/x/crypto/+/bc19a97f:ssh/knownhosts/knownhosts_test.go;l=329
The test cases are:
They should be (removal of brackets on the right side):
Also, a small note, the method
Linehas a grammar error:It says
Line returns a line to add append to the known_hosts files., but it should say:Line returns a line to add to the known_hosts files., orLine returns a line to append to the known_hosts files.The text was updated successfully, but these errors were encountered: