Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Host key validation doesn't work when not using port 22 #8139

Closed
afbjorklund opened this issue Oct 25, 2020 · 3 comments · Fixed by #8141
Closed

Host key validation doesn't work when not using port 22 #8139

afbjorklund opened this issue Oct 25, 2020 · 3 comments · Fixed by #8141
Assignees
Labels
In Progress This issue is actively being worked by the assignee, please do not work on this at this time. kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@afbjorklund
Copy link
Contributor

afbjorklund commented Oct 25, 2020

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

The retrieval of the HostKey doesn't account for ports, and fails to find the proper host key.

Unfortunately the fallback for FixedHostKey is InsecureIgnoreHostKey, so no error is shown.

Steps to reproduce the issue:

  1. # run "minikube podman-env" to set up the podman environment for connecting to podman

  2. export CONTAINER_HOST="ssh://[email protected]:32811/run/podman/podman.sock?secure=True"

  3. podman-remote version

Describe the results you received:

Happily connects, even when the host key has been changed (or not properly updated)

So the "secure" parameter doesn't have any effect, behaves the same as without "secure"

Describe the results you expected:

Error: Failed to create sshClient: Connection to bastion host (ssh://[email protected]:32811/run/podman/podman.sock?secure=True) failed.: ssh: handshake failed: ssh: host key mismatch

Using a regular ssh connection rightfully complains about the connection not being secure:

$ ssh -p 32811 [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:Mk7G0Bq+dUQ72wgtkb+gG4brTiI0+diQIR6Y0aFlhRs.
Please contact your system administrator.

Additional information you deem important (e.g. issue happens only occasionally):

Only happens when using a ssh port other than 22.

Output of podman version:

Client:
Version:      2.1.1
API Version:  2.0.0
Go Version:   go1.15.2
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Server:
Version:      2.1.1
API Version:  2.0.0
Go Version:   go1.15.2
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

(paste your output here)

Package info (e.g. output of rpm -q podman or apt list podman):

(paste your output here)

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Ubuntu 20.04

@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 25, 2020
@afbjorklund
Copy link
Contributor Author

Will default to ignoring host keys for now, so that it works with 2.1.1.

Also using $CONTAINER_SSHKEY, so avoid the ssh infrastructure.

@mheon
Copy link
Member

mheon commented Oct 25, 2020

@jwhonce PTAL

@rhatdan rhatdan added the In Progress This issue is actively being worked by the assignee, please do not work on this at this time. label Oct 26, 2020
@afbjorklund
Copy link
Contributor Author

afbjorklund commented Oct 27, 2020

There is a related issue, when user (or system) is using hashed entries (|) in known_hosts:

ssh-keyscan(1)

     -H      Hash all hostnames and addresses in the output.  Hashed names may
             be used normally by ssh(1) and sshd(8), but they do not reveal
             identifying information should the file's contents be disclosed.

sshd(8)

     Hostnames is a comma-separated list of patterns (‘*’ and ‘?’ act as wild‐
     cards); each pattern in turn is matched against the host name.  When sshd
     is authenticating a client, such as when using HostbasedAuthentication,
     this will be the canonical client host name.  When ssh(1) is authenticat‐
     ing a server, this will be the host name given by the user, the value of
     the ssh(1) HostkeyAlias if it was specified, or the canonical server
     hostname if the ssh(1) CanonicalizeHostname option was used.

     A pattern may also be preceded by ‘!’ to indicate negation: if the host
     name matches a negated pattern, it is not accepted (by that line) even if
     it matched another pattern on the line.  A hostname or address may op‐
     tionally be enclosed within ‘[’ and ‘]’ brackets then followed by ‘:’ and
     a non-standard port number.

     Alternately, hostnames may be stored in a hashed form which hides host
     names and addresses should the file's contents be disclosed.  Hashed
     hostnames start with a ‘|’ character.  Only one hashed hostname may ap‐
     pear on a single line and none of the above negation or wildcard opera‐
     tors may be applied.

But I can open separate issue for that, there doesn't seem to be any code to do the hashing ?

EDIT: My bad, there is:

package knownhosts // import "golang.org/x/crypto/ssh/knownhosts"

func HashHostname(hostname string) string
    HashHostname hashes the given hostname. The hostname is not normalized
    before hashing.

Not sure if anyone actually uses the commas or wildcards or negation, so can ignore those...

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
In Progress This issue is actively being worked by the assignee, please do not work on this at this time. kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants