group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1670745] Re: ssh-keyscan : bad host signature when using port option

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1670745@xxxxxxxxxxxxxxxxxx>
Date: Wed, 10 May 2017 16:24:24 -0000
Reply-to: Bug 1670745 <1670745@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package openssh - 1:7.3p1-1ubuntu0.1

---------------
openssh (1:7.3p1-1ubuntu0.1) yakkety; urgency=medium

  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
    already-hashed entries (LP: #1668093).
  * Fix ssh-keyscan to correctly hash hosts with a port number (LP: #1670745).

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Wed, 15 Mar
2017 14:25:22 +0100

** Changed in: openssh (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1670745

Title:
  ssh-keyscan : bad host signature when using port option

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Xenial:
  Fix Committed
Status in openssh source package in Yakkety:
  Fix Released
Status in openssh package in Debian:
  Fix Released

Bug description:
  [Impact]

   * using ssh-keyscan while using the port (-p) option of it will create 
     bad entries. They will contain the port and thereby be invalid for 
     latter use under the purpose of known_hosts.

   * Fix by backporting upstream fix.

  [Test Case]

   * Further evolving from the simplification Josh provided:
  Testcase:
  $ release=xenial
  $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
  $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
  $ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 2222/' /etc/ssh/sshd_config
  $ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
  $ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
  $ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 ${IP}

  # See the port in the Hash still

  # Install the fixed version in *-client and see the port gone from the
  output

  [Regression Potential]

   * Change is limited to ssh-keyscan (not any touching other parts of openssh)
   * Fix is from upstream (no "Ubuntu special" change)
   * Fix is small and "only" changing string creation (11 lines touched)
   So overall the regression potential should be low.

  [Other Info]

   * n/a

  ---

  When I use the port option with ssh-keygen, the result is not
  compatible with ssh known_host file format.

  UBUNTU VERSION :
  ================
  lsb_release -rd
  Description:	Ubuntu 16.04.1 LTS
  Release:	16.04

  BAD :
  ============
  :~/.ssh$ cat /etc/issue
  Ubuntu 16.04.1 LTS \n \l
  :~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
  debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
  # [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
  debug1: kex: client->server cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  [|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=

  ==> we see the port number because it is not hashed !

  GOOD :
  ============
  rm ~/.ssh/known_hosts
  :~/$ ssh -p [...port...] [...snip...]
  The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
  ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
  [...snip...]@[...snip...]'s password:

  :~/$ !cat
  cat ~/.ssh/known_hosts
  |1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
  |1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=

  ==> we cannot see the port number as it is well hashed !

  REMARKS :
  ==============
  Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651

  It seems that ssh-keyscan version and open-ssh version differs :
  dpkg -l | grep openssh :: ii  openssh-client  1:7.2p2-4ubuntu2.1      [...]
  ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000

  It is very annoying because I am trying to manage hand installed VMs
  with Ansible. For that I want to automate SSH host keys storing in
  known_hosts database. And because of this bug I can't. (ansible KIKIN
  project in development).

  Thank you,
  BR,
  Gautier HUSSON.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1670745/+subscriptions