Ubuntu 18.10's libssh 0.8.1 regresses parsing of known_hosts. This happens (sometimes) if there are multiple known_host key types (e. g. ssh-rsa and ssh-ed25519), then it can happen that ssh_session_is_known_server() fails with SSH_SERVER_FOUND_OTHER [1].
I noticed this with testing Cockpit on Ubuntu 18.10 [2], which has a few test cases exercising cockpit-ssh (which uses libssh). The scenario is a FreeIPA centrally managed known_hosts file with these entries:
Connecting to that host with the standard ssh client works:
$ ssh -vv x0.cockpit.lan
[...]
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:MgfkN6HEl+pdz0X7+6q08IVkUZOtEDzfA6V18Wm9DgA
debug1: Host 'x0.cockpit.lan' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/sss/pubconf/known_hosts:3
[...]
<email address hidden>@x0:~$
But not with cockpit-ssh. This shows the JSON protocol (note that you need to copy&paste the correct cookie value from the response):
{"command":"authorize", "response": "password foobarfoo", "cookie": "session107271540364829"}
---
(cockpit-ssh:10814): cockpit-ssh-DEBUG: 03:11:51.049: cockpit-ssh x0.cockpit.lan: host not known in any local file, asking sssd
(cockpit-ssh:10814): cockpit-ssh-DEBUG: 03:11:51.472: cockpit-ssh x0.cockpit.lan: using known hosts file /tmp/known-hosts.IDKNRZ
(cockpit-ssh:10814): cockpit-ssh-DEBUG: 03:11:51.542: cockpit-ssh x0.cockpit.lan: connected
cockpit-ssh-Message: 03:07:30.828: cockpit-ssh x0.cockpit.lan: host key for this server changed key type: ssh-ed25519
Ubuntu 18.10's libssh 0.8.1 regresses parsing of known_hosts. This happens (sometimes) if there are multiple known_host key types (e. g. ssh-rsa and ssh-ed25519), then it can happen that ssh_session_ is_known_ server( ) fails with SSH_SERVER_ FOUND_OTHER [1].
I noticed this with testing Cockpit on Ubuntu 18.10 [2], which has a few test cases exercising cockpit-ssh (which uses libssh). The scenario is a FreeIPA centrally managed known_hosts file with these entries:
x0.cockpit.lan ssh-rsa AAAAB3NzaC1yc2E AAAADAQABAAABAQ Cv5sLKfLDuEAbTc HC3eOgJM+ Ot7F077KewD4e1l Gzfw300Jo4xnuPs oJEVSCR7OjsYQCn uVGlqtlavMCLFzI BNk06iTBg/ nl+W+xa3CFNITbA jiBif7SeY0XL6Xe qzb1VYXNVfwKQKp cGIbDne6jyou4wR ZV1eay03FHTSkd2 +XKM6GOUGlkEUoP yAwYPHqoKUYiiyB xJs20l/ peXVx6jsGgs2Sc6 gl3KJP0TB2E7ncD 1pWHGRtiNshFFVa rw/YKr+ Rs+KhiVS3CAAfYD hpBNWXOwTKyx2eu JjAhsRF10bx6pnu adSEpT8Ufo5/ YFIVAD1GHptULSz VjUoJm6ktoHB oYTItbmlzdHAyNT YAAAAIbmlzdHAyN TYAAABBBCkJ6Caq hzUhrbpbVmZ8BmZ ZgM3u6BukZ6HFB2 a4NLQBdgpHlHbxo J47ocTImctyFMiD i0y6vCb4tFuZgp6 Krmk= root@(none) 1NTE5AAAAINK6gc OyH4OhiKPcNr33K l6e+wFAUy9tGFBU /o4yWkxh root@(none)
x0.cockpit.lan ecdsa-sha2-nistp256 AAAAE2VjZHNhLXN
x0.cockpit.lan ssh-ed25519 AAAAC3NzaC1lZDI
Connecting to that host with the standard ssh client works:
$ ssh -vv x0.cockpit.lan MgfkN6HEl+ pdz0X7+ 6q08IVkUZOtEDzf A6V18Wm9DgA sss/pubconf/ known_hosts: 3
[...]
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:
debug1: Host 'x0.cockpit.lan' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/
[...]
<email address hidden>@x0:~$
But not with cockpit-ssh. This shows the JSON protocol (note that you need to copy&paste the correct cookie value from the response):
$ G_MESSAGES_ DEBUG=cockpit- ssh cockpit-bridge --interact=---
{ "command": "open", "channel": "c", "payload": "echo", "host": "x0.cockpit.lan", "user": "<email address hidden>" }
---
{"command" :"authorize" ,"challenge" :"*","cookie" :"session107271 540364829" }
---
{"command" :"authorize" , "response": "password foobarfoo", "cookie": "session1072715 40364829" } ssh:10814) : cockpit-ssh-DEBUG: 03:11:51.049: cockpit-ssh x0.cockpit.lan: host not known in any local file, asking sssd ssh:10814) : cockpit-ssh-DEBUG: 03:11:51.472: cockpit-ssh x0.cockpit.lan: using known hosts file /tmp/known- hosts.IDKNRZ ssh:10814) : cockpit-ssh-DEBUG: 03:11:51.542: cockpit-ssh x0.cockpit.lan: connected ssh-Message: 03:07:30.828: cockpit-ssh x0.cockpit.lan: host key for this server changed key type: ssh-ed25519
---
(cockpit-
(cockpit-
(cockpit-
cockpit-
{"command" :"close" ,"host- key":"x0. cockpit. lan ssh-ed25519 AAAAC3NzaC1lZDI 1NTE5AAAAINK6gc OyH4OhiKPcNr33K l6e+wFAUy9tGFBU /o4yWkxh\ n","host- fingerprint" :"a0:27: 1e:80:de: fd:4b:8a: 0d:9d:a9: b6:42:7d: 5c:b9", "problem" :"invalid- hostkey" ,"error" :"invalid- hostkey" ,"auth- method- results" :{},"channel" :"c"}
---
The "host key for this server changed key type" is the effect of this bug.
[1] http:// api.libssh. org/master/ group__ libssh_ _session. html#gac% 20bc5d04fe66bee e863a0c61a93fdf 765 /github. com/cockpit- project/ cockpit/ pull/10357
[2] https:/