group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #12416
[Bug 1670745] Re: ssh-keyscan : bad host signature when using port option
** Also affects: openssh (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Yakkety)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1670745
Title:
ssh-keyscan : bad host signature when using port option
Status in portable OpenSSH:
Unknown
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Xenial:
New
Status in openssh source package in Yakkety:
New
Status in openssh package in Debian:
Fix Released
Bug description:
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* Further evolving from the simplification Josh provided:
Testcase:
$ release=xenial
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
$ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 2222/' /etc/ssh/sshd_config
$ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
$ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
$ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 ${IP}
# See the port in the Hash still
# Install the fixed version in *-client and see the port gone from the
output
[Regression Potential]
* Change is limited to ssh-keyscan (not any touching other parts of openssh)
* Fix is from upstream (no "Ubuntu special" change)
* Fix is small and "only" changing string creation (11 lines touched)
So overall the regression potential should be low.
[Other Info]
* n/a
---
When I use the port option with ssh-keygen, the result is not
compatible with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
[...snip...]@[...snip...]'s password:
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
|1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs
with Ansible. For that I want to automate SSH host keys storing in
known_hosts database. And because of this bug I can't. (ansible KIKIN
project in development).
Thank you,
BR,
Gautier HUSSON.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1670745/+subscriptions