[Touch-packages] [Bug 1670745] Re: ssh-keyscan : bad host signature when using port option

Wed, 19 Apr 2017 07:43:01 -0700 

** Changed in: openssh (Ubuntu)
     Assignee: Joshua Powers (powersj) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1670745

Title:
  ssh-keyscan : bad host signature when using port option

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Xenial:
  Fix Committed
Status in openssh source package in Yakkety:
  Fix Committed
Status in openssh package in Debian:
  Fix Released

Bug description:
  [Impact]

   * using ssh-keyscan while using the port (-p) option of it will create 
     bad entries. They will contain the port and thereby be invalid for 
     latter use under the purpose of known_hosts.

   * Fix by backporting upstream fix.

  [Test Case]

   * Further evolving from the simplification Josh provided:
  Testcase:
  $ release=xenial
  $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
  $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
  $ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 
2222/' /etc/ssh/sshd_config
  $ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
  $ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
  $ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 
${IP}

  # See the port in the Hash still

  # Install the fixed version in *-client and see the port gone from the
  output

  [Regression Potential]

   * Change is limited to ssh-keyscan (not any touching other parts of openssh)
   * Fix is from upstream (no "Ubuntu special" change)
   * Fix is small and "only" changing string creation (11 lines touched)
   So overall the regression potential should be low.

  [Other Info]

   * n/a

  ---

  When I use the port option with ssh-keygen, the result is not
  compatible with ssh known_host file format.

  UBUNTU VERSION :
  ================
  lsb_release -rd
  Description:  Ubuntu 16.04.1 LTS
  Release:      16.04

  BAD :
  ============
  :~/.ssh$ cat /etc/issue
  Ubuntu 16.04.1 LTS \n \l
  :~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
  debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
  # [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
<implicit> compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
<implicit> compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  [|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] 
ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=

  ==> we see the port number because it is not hashed !

  GOOD :
  ============
  rm ~/.ssh/known_hosts
  :~/$ ssh -p [...port...] [...snip...]
  The authenticity of host '[[...snip...]]:[...port...] 
([[...snip...]]:[...port...])' can't be established.
  ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added 
'[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list 
of known hosts.
  [...snip...]@[...snip...]'s password:

  :~/$ !cat
  cat ~/.ssh/known_hosts
  |1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= 
ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
  |1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= 
ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=

  ==> we cannot see the port number as it is well hashed !

  REMARKS :
  ==============
  Same problem has already reported here (on macOS): 
https://github.com/ansible/ansible-modules-extras/issues/2651

  It seems that ssh-keyscan version and open-ssh version differs :
  dpkg -l | grep openssh :: ii  openssh-client  1:7.2p2-4ubuntu2.1      [...]
  ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat 
OpenSSH* compat 0x04000000

  It is very annoying because I am trying to manage hand installed VMs
  with Ansible. For that I want to automate SSH host keys storing in
  known_hosts database. And because of this bug I can't. (ansible KIKIN
  project in development).

  Thank you,
  BR,
  Gautier HUSSON.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1670745/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to