In KEXINIT packet, put EC algorithms first in list of host key algorithms #642
Conversation
…ore ssh-rsa. This matches behavior with OpenSSH during algorithm negotation.
…y have in the MockServer
Current coverage is 91.20% (diff: 93.75%)@@ trunk #642 diff @@
==========================================
Files 836 836
Lines 146496 146523 +27
Methods 0 0
Messages 0 0
Branches 12988 12992 +4
==========================================
+ Hits 133609 133642 +33
+ Misses 10652 10648 -4
+ Partials 2235 2233 -2
|
|
@the0id please review this |
….ssh/known_hosts. This will be used to change the order of supported host key algorithms when the client sends out the MSG_KEXINIT packet.
If we have an ecdsa-nistp-256 key in known_hosts, but the server offers an ssh-rsa key, this will cause conch to skip the entry instead of raising a bad host key error.
but the hostname + keyType is the same.
|
@acabhishek942 @the0id please review this |
| in the KEXINIT packet. | ||
|
|
||
| @param host: the host to check in known_hosts | ||
| @param options: L{twisted.conch.client.options.ConchOptions} |
There was a problem hiding this comment.
please include the type of host and options here
|
@acabhishek942 In the future (at least until we are fully moved to github) please take care to remove the |
There was a problem hiding this comment.
I know this has already been reviewed, and I don't want to propose a revert, but I think we may not be properly propagating our attention to details in reviews to new reviewers - the number of "+1" reviews on relatively complex changes and new public APIs concerns me a little. Just wanted to leave my own take on the review here as an example :).
| This can be used to change the order of supported key types | ||
| in the KEXINIT packet. | ||
|
|
||
| @type host: L{str} |
There was a problem hiding this comment.
While this isn't wrong exactly, convention is usually to put @param first, rather than @type.
There was a problem hiding this comment.
There seem to be other places in Twisted that put @type before @param such as https://github.com/twisted/twisted/blob/trunk/src/twisted/words/xish/domish.py#L158 so I tried following that, but I'll keep that in mind next time around.
There was a problem hiding this comment.
Thanks for the reference to the counterexample; I wasn't aware that was there. I'll have to go through and fix it at some point :)
| @@ -130,6 +130,31 @@ def isInKnownHosts(host, pubKey, options): | |||
|
|
|||
|
|
|||
|
|
|||
| def getHostKeyAlgorithms(host, options): | |||
There was a problem hiding this comment.
Was it really necessary to expose a new public API to address this?
There was a problem hiding this comment.
Maybe this could have been left as an internal API. Maybe there could be other clients outside of the conch client that could guess at a preferred host key type based on what is in known_hosts
There was a problem hiding this comment.
if that is the case, perhaps it makes sense to move it to a method on KnownHostsFile? Perhaps good to do this before the next release?
|
|
||
| @type host: L{str} | ||
| @param host: the host to check in known_hosts | ||
| @type options: L{twisted.conch.client.options.ConchOptions} |
There was a problem hiding this comment.
Why does this take a ConchOptions rather than a KnownHostsFile? It seems that this is duplicating the logic involved in determining the proper location of the known_hosts file.
| @param host: the host to check in known_hosts | ||
| @type options: L{twisted.conch.client.options.ConchOptions} | ||
| @param options: options passed to client | ||
| @return: L{list} of L{str} representing key types or L{None}. |
There was a problem hiding this comment.
Should this really be native str or is it more properly unicode or bytes?
There was a problem hiding this comment.
After going through things and testing it out, str seems to be the most workable.
| or os.path.expanduser(_KNOWN_HOSTS) | ||
| )) | ||
| keyTypes = [] | ||
| for entry in knownHosts.iterentries(): |
There was a problem hiding this comment.
It seems like this should be a set rather than a list, since order isn't really significant. This would also be easier to spell / implement, as simply return set([entry.keyType for entry in knownHosts.iterentries() if entry.matchesHost(host)])
There was a problem hiding this comment.
During my testing, I found that in the OpenSSH command-line client that the order that entries are traversed in known_hosts seems to matter. I tried to keep the behavior of the conch client the same as OpenSSH in this area, so kept it as a list.
There was a problem hiding this comment.
Aah, interesting. I guess that's why it talks about "order" in the docstring? That raises the question though: how can this be "used" to do that?
| @@ -431,7 +431,7 @@ def hasHostKey(self, hostname, key): | |||
| does not match the given key. | |||
| """ | |||
| for lineidx, entry in enumerate(self.iterentries(), -len(self._added)): | |||
| if entry.matchesHost(hostname): | |||
| if entry.matchesHost(hostname) and entry.keyType == key.sshType(): | |||
There was a problem hiding this comment.
This feels like a separate fix that should have been addressed in a different ticket?
There was a problem hiding this comment.
I had it in a separate ticket, but it was easier to combine in one, because the fixes are interrelated, having to do with deducing the host key algorithm from the known_hosts file,
and using that to specify the order of algorithms in the client's kexinit packet.
| @@ -53,9 +53,14 @@ | |||
| b'343Hd2QHiIE0KPZJEgCynKeWoKz8v6eTSK8n4rBnaqWdp8MnGZK1WGy05MguXbyCDuTC8AmJXQ' | |||
| b'==') | |||
|
|
|||
| ecdsaSampleEncodedKey = ( | |||
There was a problem hiding this comment.
Just for future reference, we should try to generate keys for tests rather than having a bunch of hard-coded ones hanging around. This is the sort of thing automated security scanners pick up and complain about. There's a case to be made that they're technically wrong for complaining, but they're also the sort of thing that people blindly copy/paste from tests or examples into production systems, so in practice I think they're right.
This is just repeating a pretty well-established pattern in this file, so I wouldn't blame you for doing it here, but it's something to keep in mind for the future.
http://twistedmatrix.com/trac/ticket/8958