[Bug 1670745] Re: ssh-keyscan : bad host signature when using port option

Gautier HUSSON 1670745 at bugs.launchpad.net
Thu Apr 6 12:56:34 UTC 2017 

First : thank you everybody for all your work !

At now I am not able to see the difference. But I think I may not doing the right thing in order to test :
wget "http://launchpadlibrarian.net/254059000/openssh-client_7.2p2-4_amd64.deb"
dpkg -i openssh-client_7.2p2-4_amd64.deb
ssh-keyscan -v -t dsa -H -p 22000 -T 5 test.[snip]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# test.liberasys.com:22000 SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|xkG3IqIo2wV4LVdHUIdFxpV+cN0=|qPnIs826Ny8lK2r9MYnN94rt+3w=]:22000 ssh-dss AAAAB3NzaC1kc3MAAACBAOWWBwm[snip]

==> OpenSSH_6.7p1 is not the right version... although :

ssh -V
OpenSSH_7.2p2 Ubuntu-4, OpenSSL 1.0.2g  1 Mar 2016

root at ghu-thinkpad:~# dpkg -l | grep ssh
ii  libssh-4:amd64                              0.6.3-4.3                                     amd64        tiny C SSH library (OpenSSL flavor)
ii  libssh-gcrypt-4:amd64                       0.6.3-4.3                                     amd64        tiny C SSH library (gcrypt flavor)
ii  libssh2-1:amd64                             1.5.0-2ubuntu0.1                              amd64        SSH2 client-side library
ii  openssh-client                              1:7.2p2-4                                     amd64        secure shell (SSH) client, for secure access to remote machines
ii  python-paramiko                             1.16.0-1                                      all          Make ssh v2 connections with Python (Python 2)
ii  sshpass                                     1.05-1                                        amd64        Non-interactive ssh password authentication

It may be due to the libssh that I have not updated ?
RQ : I preafer to install updated packages directly rather than playing with dpgk database (I may be wrong on this point).

Thank you for your help.
B.R.
Gautier.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1670745

Title:
  ssh-keyscan : bad host signature when using port option

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Xenial:
  Fix Committed
Status in openssh source package in Yakkety:
  Fix Committed
Status in openssh package in Debian:
  Fix Released

Bug description:
  [Impact]

   * using ssh-keyscan while using the port (-p) option of it will create 
     bad entries. They will contain the port and thereby be invalid for 
     latter use under the purpose of known_hosts.

   * Fix by backporting upstream fix.

  [Test Case]

   * Further evolving from the simplification Josh provided:
  Testcase:
  $ release=xenial
  $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
  $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
  $ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 2222/' /etc/ssh/sshd_config
  $ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
  $ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
  $ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 ${IP}

  # See the port in the Hash still

  # Install the fixed version in *-client and see the port gone from the
  output

  [Regression Potential]

   * Change is limited to ssh-keyscan (not any touching other parts of openssh)
   * Fix is from upstream (no "Ubuntu special" change)
   * Fix is small and "only" changing string creation (11 lines touched)
   So overall the regression potential should be low.

  [Other Info]

   * n/a

  ---

  When I use the port option with ssh-keygen, the result is not
  compatible with ssh known_host file format.

  UBUNTU VERSION :
  ================
  lsb_release -rd
  Description:	Ubuntu 16.04.1 LTS
  Release:	16.04

  BAD :
  ============
  :~/.ssh$ cat /etc/issue
  Ubuntu 16.04.1 LTS \n \l
  :~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
  debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
  # [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha256 at libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
  debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  [|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=

  ==> we see the port number because it is not hashed !

  GOOD :
  ============
  rm ~/.ssh/known_hosts
  :~/$ ssh -p [...port...] [...snip...]
  The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
  ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
  [...snip...]@[...snip...]'s password:

  :~/$ !cat
  cat ~/.ssh/known_hosts
  |1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
  |1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=

  ==> we cannot see the port number as it is well hashed !

  REMARKS :
  ==============
  Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651

  It seems that ssh-keyscan version and open-ssh version differs :
  dpkg -l | grep openssh :: ii  openssh-client  1:7.2p2-4ubuntu2.1      [...]
  ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000

  It is very annoying because I am trying to manage hand installed VMs
  with Ansible. For that I want to automate SSH host keys storing in
  known_hosts database. And because of this bug I can't. (ansible KIKIN
  project in development).

  Thank you,
  BR,
  Gautier HUSSON.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1670745/+subscriptions

More information about the foundations-bugs mailing list