-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In KEXINIT packet, put EC algorithms first in list of host key algorithms #642
Conversation
…ore ssh-rsa. This matches behavior with OpenSSH during algorithm negotation.
…y have in the MockServer
Current coverage is 91.20% (diff: 93.75%)@@ trunk #642 diff @@
==========================================
Files 836 836
Lines 146496 146523 +27
Methods 0 0
Messages 0 0
Branches 12988 12992 +4
==========================================
+ Hits 133609 133642 +33
+ Misses 10652 10648 -4
+ Partials 2235 2233 -2
|
@the0id please review this |
….ssh/known_hosts. This will be used to change the order of supported host key algorithms when the client sends out the MSG_KEXINIT packet.
If we have an ecdsa-nistp-256 key in known_hosts, but the server offers an ssh-rsa key, this will cause conch to skip the entry instead of raising a bad host key error.
but the hostname + keyType is the same.
@acabhishek942 @the0id please review this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please address my inline comment if you think thats important, otherwise this change looks ready to merge
in the KEXINIT packet. | ||
|
||
@param host: the host to check in known_hosts | ||
@param options: L{twisted.conch.client.options.ConchOptions} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please include the type of host
and options
here
@acabhishek942 In the future (at least until we are fully moved to github) please take care to remove the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this has already been reviewed, and I don't want to propose a revert, but I think we may not be properly propagating our attention to details in reviews to new reviewers - the number of "+1" reviews on relatively complex changes and new public APIs concerns me a little. Just wanted to leave my own take on the review here as an example :).
This can be used to change the order of supported key types | ||
in the KEXINIT packet. | ||
|
||
@type host: L{str} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While this isn't wrong exactly, convention is usually to put @param
first, rather than @type
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There seem to be other places in Twisted that put @type before @param such as https://github.com/twisted/twisted/blob/trunk/src/twisted/words/xish/domish.py#L158 so I tried following that, but I'll keep that in mind next time around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the reference to the counterexample; I wasn't aware that was there. I'll have to go through and fix it at some point :)
@@ -130,6 +130,31 @@ def isInKnownHosts(host, pubKey, options): | |||
|
|||
|
|||
|
|||
def getHostKeyAlgorithms(host, options): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was it really necessary to expose a new public API to address this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this could have been left as an internal API. Maybe there could be other clients outside of the conch client that could guess at a preferred host key type based on what is in known_hosts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if that is the case, perhaps it makes sense to move it to a method on KnownHostsFile
? Perhaps good to do this before the next release?
|
||
@type host: L{str} | ||
@param host: the host to check in known_hosts | ||
@type options: L{twisted.conch.client.options.ConchOptions} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this take a ConchOptions
rather than a KnownHostsFile
? It seems that this is duplicating the logic involved in determining the proper location of the known_hosts
file.
@param host: the host to check in known_hosts | ||
@type options: L{twisted.conch.client.options.ConchOptions} | ||
@param options: options passed to client | ||
@return: L{list} of L{str} representing key types or L{None}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this really be native str
or is it more properly unicode
or bytes
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After going through things and testing it out, str seems to be the most workable.
or os.path.expanduser(_KNOWN_HOSTS) | ||
)) | ||
keyTypes = [] | ||
for entry in knownHosts.iterentries(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like this should be a set
rather than a list
, since order isn't really significant. This would also be easier to spell / implement, as simply return set([entry.keyType for entry in knownHosts.iterentries() if entry.matchesHost(host)])
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
During my testing, I found that in the OpenSSH command-line client that the order that entries are traversed in known_hosts seems to matter. I tried to keep the behavior of the conch client the same as OpenSSH in this area, so kept it as a list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aah, interesting. I guess that's why it talks about "order" in the docstring? That raises the question though: how can this be "used" to do that?
@@ -431,7 +431,7 @@ def hasHostKey(self, hostname, key): | |||
does not match the given key. | |||
""" | |||
for lineidx, entry in enumerate(self.iterentries(), -len(self._added)): | |||
if entry.matchesHost(hostname): | |||
if entry.matchesHost(hostname) and entry.keyType == key.sshType(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feels like a separate fix that should have been addressed in a different ticket?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had it in a separate ticket, but it was easier to combine in one, because the fixes are interrelated, having to do with deducing the host key algorithm from the known_hosts file,
and using that to specify the order of algorithms in the client's kexinit packet.
@@ -53,9 +53,14 @@ | |||
b'343Hd2QHiIE0KPZJEgCynKeWoKz8v6eTSK8n4rBnaqWdp8MnGZK1WGy05MguXbyCDuTC8AmJXQ' | |||
b'==') | |||
|
|||
ecdsaSampleEncodedKey = ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just for future reference, we should try to generate keys for tests rather than having a bunch of hard-coded ones hanging around. This is the sort of thing automated security scanners pick up and complain about. There's a case to be made that they're technically wrong for complaining, but they're also the sort of thing that people blindly copy/paste from tests or examples into production systems, so in practice I think they're right.
This is just repeating a pretty well-established pattern in this file, so I wouldn't blame you for doing it here, but it's something to keep in mind for the future.
http://twistedmatrix.com/trac/ticket/8958