ssh-keyscan : bad host signature when using port option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
portable OpenSSH |
Unknown
|
Unknown
|
|||
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* using ssh-keyscan while using the port (-p) option of it will create
bad entries. They will contain the port and thereby be invalid for
latter use under the purpose of known_hosts.
* Fix by backporting upstream fix.
[Test Case]
* Further evolving from the simplification Josh provided:
Testcase:
$ release=xenial
$ lxc launch ubuntu-
$ lxc launch ubuntu-
$ lxc exec ${release}
$ lxc exec ${release}
$ IP=$(lxc exec ${release}
$ lxc exec ${release}
# See the port in the Hash still
# Install the fixed version in *-client and see the port gone from the output
[Regression Potential]
* Change is limited to ssh-keyscan (not any touching other parts of openssh)
* Fix is from upstream (no "Ubuntu special" change)
* Fix is small and "only" changing string creation (11 lines touched)
So overall the regression potential should be low.
[Other Info]
* n/a
---
When I use the port option with ssh-keygen, the result is not compatible with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip.
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: <email address hidden>
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: <email address hidden> MAC: <implicit> compression: none
debug1: kex: client->server cipher: <email address hidden> MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_
[|1|BEEwVcggbNP
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip.
ECDSA key fingerprint is SHA256:
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[[...snip.
[...snip.
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/
|1|8I/vbrBV04Va
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS): https:/
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs with Ansible. For that I want to automate SSH host keys storing in known_hosts database. And because of this bug I can't. (ansible KIKIN project in development).
Thank you,
BR,
Gautier HUSSON.
Changed in openssh (Debian): | |
status: | Unknown → New |
Changed in openssh (Debian): | |
status: | New → Fix Released |
description: | updated |
tags: | added: server-next |
description: | updated |
Changed in openssh (Ubuntu): | |
assignee: | Joshua Powers (powersj) → nobody |
Thanks for the bug report!
Steps to reproduce:
$ lxc launch ubuntu-daily:xenial xenial sshd_config and change port to 2222
# edit /etc/ssh/
# service ssh restart
# ip a to note container IP
# exit
$ ssh-keyscan -H -p 2222 <container IP>
The port will be in the output and not hashed as described in the report.
The linked Github issue did state there is a workaround by getting the values unhashed and then hashing them in a second step. Not saying this is ideal, but it is a workaround: _keys && rm .ssh/authorized _keys.old
$ ssh-keyscan -p 2222 <container IP>
$ ssh-keygen -H -f .ssh/authorized
Because the man page for ssh-keyscan clearly states that -H will include the hostnames and addres and makes no mention of port in the hash, I have filed a bug with openssh to get clarity on the expected behavior and if this should be fixed.