Select pref key #900
Closed
Select pref key #900
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Setting the same key_types as one would be able to get directly from key_types used to raise an exception because _key_info didn't hold the same keys as _preferred_keys Added unit test also.
…he ecdsa keys Resent versions of OpenSSH prefers to use ecdsa keys for the host key verification, and therefore, ecdsa keys tend to end up in the known_hosts file. Paramiko on the other hand tend to end up using rsa keys. This often causes Paramiko to fail the host key verification despite the fact that the host is known to OpenSSH. This simple change reduces the risk of this happening.
4 similar comments
|
see also #899 |
|
and see also #387 and the rest of the keys label. Thanks for this, will take a closer look when I have time to try smashing through all this keys related stuff! |
This was referenced Feb 22, 2017
This was referenced Jun 2, 2017
ploxiln
added a commit
to ploxiln/paramiko-ng
that referenced
this pull request
Jun 6, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using Paramiko I've come across an impracticality.
Resent OpenSSH clients have a preference towards ECDSA keys, and therefore, such keys tend to end up in the known_hosts files. Paramiko on the other hand, tend to end up using RSA key types after initial negotiation., and as a result Paramiko is likely to fail host key verification even though a valid host key has previously been added to the known_hosts file by OpenSSH.
I've added functionality to the SSHClient.connect method to indicate preference towards a given type of key. Loading the know host keys prior to the call to connect enables you to identify a key type which is already in the known_hosts (if any) and instruct Paramiko to use this key type:
host = 'myserver.com'
ssh = paramiko.SSHClient()
ssh.load_host_keys(os.path.expanduser('~/.ssh/known_hosts'))
keys_of_all_known_hosts = ssh.get_host_keys()
pref_hkey_type = None
if host in keys_of_all_known_hosts:
pref_hkey_type = keys_of_all_known_hosts[host].keys()[0]
ssh.connect(host, username='eddie', password='murphy', pref_key_type=pref_hkey_type)
During the process of developing this I've come across an issue in relation to setting of key_types through the SecurityOptions object. Getting the key_types from the SecurityOptions and setting the same values again directly afterwards would raise an exception. I have proposed a fix for this issue too.
I hope you'll find this useful, and please don't hesitate to contact me for further comments.
BR / Kasper Døring