On Tue, Aug 1, 2023 at 11:52 AM <[email protected]> wrote: > Dear Guacamole Mailinglist! > > > > My environment: > > OS: Ubuntu 22.04.2 LTS > > Guacamole version: 1.5.2 > > > > Issue: > > The host key verification for SSH connections doesn’t work, if the remote > host’s public server key is being provided in the connection > configuration’s appropriate field ( Parameters > Network > Public host key > (Base64) ). My assumption is, that I’m doing something wrong regarding the > key’s format. >
Probably not the format, but probably selecting the correct key. > > > Considerations: > > 1) From my knowledge, the key entries in the known_hosts file, > generated by the initial ssh connection to a new host, are already in > base64 format – so I don’t have to convert them into base64 prior to enter > them into the „Host public key base64“ field in Guacamole’s GUI. Is that > assumption correct? > Yes, you should be able to copy directly from a known_hosts file. > 2) I’m not sure, if I have to insert only the key, or if the whole > line – i.e. including the hashed hostname, key type (e.g. ssh-ed25519), etc > – has to be entered. Anyway it doesn’t work with one or the other variation. > You need the key type (ssh-rsa for example) and the base64 format. You don't need the identifier at the end. > 3) Shouldn’t it be enough to enter one of the three keys – i.e. > ed25519, rsa or ecdsa? > No, and I suspect that this is where you're hitting an issue. You'll need to provide the key type that matches what Guacamole and the remote server negotiate to. This shouldn't be random - that is, a connection won't pick ecda one time and swap over to rsa the next time - there will be a preferred order of host key algorithms, and so you just need to determine which one it is negotiating to and provide that key. > 4) Do I have to mask the line feeds somehow? Or the lines between > double quotes? > You should remove line feeds altogether. If you're copying out of a known_hosts file, there should not be any line feeds - it should be one very long line. If your editor or copy/paste method introduces line feeds you will need to remove those. > > > > > Observations: > > 1) ‚ssh user@<remotehostIPaddress>‘ from the Guacamole server’s BASH > à OK > > 2) SSH connection by Guacamole without remote host’s public key (i.e. > leaving the filed blank) à OK > > 3) SSH connection by Guacamole with host key verification by > GUACAMOLE_HOME/ssh_known_hosts file > > a. à OK if the three known_hosts entries (i.e. ssh-ed25519, ssh-rsa > and ecdsa-sha2-nistp256) gathered by step 1) are added to the > ssh_known_hosts file. > > b. à NOK if only one of the keys is being added to the > ssh_known_hosts file. Error message in syslog: „Host key does not match > known_hosts entry for <remoteHostIPaddress>“ and „Host key did not match > any provided known host keys“ > This goes back to making sure that you have the host key in the file that matches what is being negotiated. -Nick
