-
-
Notifications
You must be signed in to change notification settings - Fork 444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix check_host_ip when no IP address is present in the known_hosts file #663
Fix check_host_ip when no IP address is present in the known_hosts file #663
Conversation
entries[1] is assigned to host_ip at the beginning of the block, it makes it easier to understand that we expect the resolution to have succeeded before trying to check if that IP is present in the hostlist.
A knwon_host file may contain any number of names or IP addresses valid for a given node. An entry may have multiple names but no IP address, in this case we host_ip will never be found in hostlist. Instead, first build the list of IP addresses present in hostlist. Only if this list is not empty, perfom ip host checking.
The same IP addresses may be written differently, so comparing them as string might not work as expected (e.g. the loopback address can be expressed as `::1`, `0000:0000:0000:0000:0000:0000:0000:0001`, `0:0:0:0:0:0:0:1` and a handful of other notations). Parse the addresses as IPAddr before comparison so that the same address written in two different notation still match.
Check if we can locate multiple keys matching a single host with multiple names and no IP address.
Codecov Report
@@ Coverage Diff @@
## master #663 +/- ##
==========================================
+ Coverage 95.76% 95.77% +<.01%
==========================================
Files 144 144
Lines 9644 9653 +9
==========================================
+ Hits 9236 9245 +9
Misses 408 408
Continue to review full report at Codecov.
|
@smortex thanks for the pr. Any reason you cannot pass When check_host_ip is true i don't think openssh accepts an entry without an ip. We might want to display better errors, but i'm not sure i like a less strict check_host_ip you've implemented. |
My goal is to ship https://github.com/puppetlabs/bolt in FreeBSD, which can certainly be modified to skip some checking but if we can avoid it it's the best :-) I recently updated FreeBSD and assumed CheckHostIP which defaults to 'no' would be updated, and since I experienced no problem I assumed it was fine. I was doubly wrong: I tried to force it to 'yes'. When connecting to a host which already has it's hostname in the system's known_hosts file, connections succeeds and a new entries is added to my user's known_host file (and a notice is produced). If I change the IP that was added to my user's known_hosts file, a new line is added on the next connection, and the connection succeeds (with the same notice). The same is true if everything is in the same known_hosts file. The same is true if StrictHostKeyChecking is set to true. So this test is definitively wrong (it should return a key since the hostname is found): net-ssh/test/test_known_hosts.rb Lines 51 to 55 in 3683301
That makes me think that CheckHostIP is only useful when you connect to a host by hostname, and then later reach it via it's IP address. Maybe we can close this PR and:
What do you think? |
@smortex Let me think about that. In my testing you seems to be right if the name and matching key there with different ip openssh will add the new ip with a warning message even with strict host key checking. I see the following options:
I don't see much value in check_host_ip therefor i see 3.) a bit of a wasted energy. |
I am not sure to follow you, are 1, 2, 3 three different options or the three steps of a single option? The second hypothesis makes more sense to me but I might be misunderstanding… If you are saying that doing the three steps above do not worth it, I quite agree: as far as I am concerned, CheckHostIp adds no value at all, and I would prefer the In this case, I would suggest dropping completely the Does that look reasonable? |
@smortex that meant 3 alternatives. I'd prefer to keep check_host_ip if someone needs it and remove it from future version. Would 2.) work for you? Does your config has /etc/ssh_config has |
Ah, sorry for the misunderstanding.
I am not sure to understand what you want to keep? As far as I can see, the only think that check_host_ip does is enforcing that the IP address of the remote side exist in the knwon_hosts file, which is not done by ssh. Isn't this a bug in net-ssh that should be fixed to behave like ssh(1)? Do I miss another feature of check_host_ip?
The default FreeBSD ssh_config file is similar to the upstream one, with CheckHostIp default value in a comment. Tuning it would be a valid workaround in my case, disabling the extra-check done by net-ssh and not done by ssh(1), but I guess it would surprise other users. Shouldn't CheckHostIp have the same impact in net-ssh and ssh(1)? In an ideal world, wouldn't 3 and 2 both be implemented? This is the reason why I propose to just nuke CheckHostIp completely: remove the extra checks done by net-ssh and not have to implement 2 and 3. I hope you understand my reasoning. |
Seems like requiring both
With following ssh(1) version:
Both of the following will work with
However with
works for
but not for
The
would result in
I think that treating them a separate issues, the first a bug fix and the second a new feature would help the distinguish the two. Note tested using |
Under I think that CheckHostIP in openssh and esp in net-ssh is not an usefull feature, and i'd like to remove it in the longer term. The current impl was in net-ssh for years without complaint therefore i don't want to remove it in a minor version. It can be considered either buggy or just stricter than OpenSSH version. This is the plan: 1.) 5.2.0 introduce check_host_ip: false flag, and set check_host_ip to false if CheckHostIP false in net-ssh configs I don't want to tweak current check_host_ip to be more openssh as i don't see it as usefull. |
I agree that replicating the behavior of |
Ah, I see! Thank you for clarifying and providing the roadmap: I was feeling confused, but this seems consistent. I will close this issue for now, and ping the puppetlabs/bolt team to rely on @mfazekas do you want me to open a new PR with a backport of d276c72 (should only be usefull when |
@smortex can you check 5.2.0.rc2? It should set |
I am afraid something is not working as expected, with the rc2, connection always succeeds even if I set |
Ah, forget my previous comment: I was trying to connect to a host with just it's hostname in the known_hosts file which is skipped by check_host_ip. With the previously used hostname, I am still seeing the same thing happening: |
Yeah the setting appears to be read correctly but seems to get ignored. Changing Lines 80 to 83 in a1c7b36
Seems to work with Line 212 in a1c7b36
|
@mfazekas 5.2.0.rc3 works as described. Thanks so much! |
@mfazekas Yes, it does work as expected with rc3, thank you! |
Hey!
Just tried to switch to net-ssh 5.2.0.rc1 but still encountering problems after #656.
My known_host file contain these entries (no IP address):
The original code fails because (for the first key, same of course with a different hostlist for the two other):