[Bug 1670745] Re: ssh-keyscan : bad host signature when using port option
ChristianEhrhardt
1670745 at bugs.launchpad.net
Thu Mar 16 14:22:37 UTC 2017
FYI - Colin has merged the fix, uploaded to Debian and synced to Zesty.
But the sync is blocked by an issue with another bundled fix (see bug 1668093).
Just checked affected Releases for the SRUs to be prepared:
- Trusty: not affected
- Xenial: affected
- Yakkety: affected
That is just the set I prepare the SRU for anyway, as discussed including the fix in my prep.
And adding a proper SRU Template here now + bug tasks ...
** Description changed:
+ [Impact]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+ explanation of how the upload fixes this bug.
+
+ [Test Case]
+
+ * Further evolving from the simplification Josh provided:
+ Testcase:
+ $ release=xenial
+ $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
+ $ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
+ $ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 2222/' /etc/ssh/sshd_config
+ $ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
+ $ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
+ $ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 ${IP}
+
+ # See the port in the Hash still
+
+ # Install the fixed version in *-client and see the port gone from the
+ output
+
+ [Regression Potential]
+
+ * Change is limited to ssh-keyscan (not any touching other parts of openssh)
+ * Fix is from upstream (no "Ubuntu special" change)
+ * Fix is small and "only" changing string creation (11 lines touched)
+ So overall the regression potential should be low.
+
+ [Other Info]
+
+ * n/a
+
+
+ ---
+
When I use the port option with ssh-keygen, the result is not compatible
with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
-
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
- [...snip...]@[...snip...]'s password:
+ [...snip...]@[...snip...]'s password:
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
|1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs
with Ansible. For that I want to automate SSH host keys storing in
known_hosts database. And because of this bug I can't. (ansible KIKIN
project in development).
Thank you,
BR,
Gautier HUSSON.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1670745
Title:
ssh-keyscan : bad host signature when using port option
Status in portable OpenSSH:
Unknown
Status in openssh package in Ubuntu:
In Progress
Status in openssh package in Debian:
Fix Released
Bug description:
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* Further evolving from the simplification Josh provided:
Testcase:
$ release=xenial
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-client
$ lxc launch ubuntu-daily:${release} ${release}-test-ssh-port-scan-server
$ lxc exec ${release}-test-ssh-port-scan-server -- sed -i 's/Port 22/Port 2222/' /etc/ssh/sshd_config
$ lxc exec ${release}-test-ssh-port-scan-server -- service ssh restart
$ IP=$(lxc exec ${release}-test-ssh-port-scan-server -- hostname --ip-address)
$ lxc exec ${release}-test-ssh-port-scan-client -- ssh-keyscan -H -p 2222 ${IP}
# See the port in the Hash still
# Install the fixed version in *-client and see the port gone from the
output
[Regression Potential]
* Change is limited to ssh-keyscan (not any touching other parts of openssh)
* Fix is from upstream (no "Ubuntu special" change)
* Fix is small and "only" changing string creation (11 lines touched)
So overall the regression potential should be low.
[Other Info]
* n/a
---
When I use the port option with ssh-keygen, the result is not
compatible with ssh known_host file format.
UBUNTU VERSION :
================
lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
BAD :
============
:~/.ssh$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
:~/.ssh$ ssh-keyscan -v -p [...port...] -t ecdsa -H [...snip...]
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
# [...snip...]:[...port...] SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Enabling compatibility mode for protocol 2.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[|1|BEEwVcggbNPf7fUydgU4O+BDoLg=|9SmWBUxFZkpR70Hqq8uqxLAzXFU=]:[...port...] ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we see the port number because it is not hashed !
GOOD :
============
rm ~/.ssh/known_hosts
:~/$ ssh -p [...port...] [...snip...]
The authenticity of host '[[...snip...]]:[...port...] ([[...snip...]]:[...port...])' can't be established.
ECDSA key fingerprint is SHA256:b/Jx+y3fNWFqOqTzFRI3XGrz33DBtAFFLmQaYQYFRnM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[[...snip...]]:[...port...],[[...snip...]]:[...port...]' (ECDSA) to the list of known hosts.
[...snip...]@[...snip...]'s password:
:~/$ !cat
cat ~/.ssh/known_hosts
|1|qdg91H9/DMHLO7yGOivI17+WFQI=|B+a6SrzF1GBd3XFvmAvQRnJxLWs= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
|1|8I/vbrBV04VaUF12JXRwxvAL9So=|ToMf+kRwbSeNertVdUVuG3iLdH8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLEde+dZfL0TW6Z9jh+gOkW5fG/qeP9JAejKQXdmg9D7CH4NwMrWDEjXBDDo6iirIPAB6M0uUnK2mDw7uUWXYt8=
==> we cannot see the port number as it is well hashed !
REMARKS :
==============
Same problem has already reported here (on macOS): https://github.com/ansible/ansible-modules-extras/issues/2651
It seems that ssh-keyscan version and open-ssh version differs :
dpkg -l | grep openssh :: ii openssh-client 1:7.2p2-4ubuntu2.1 [...]
ssh-keyscan -v [...] :: debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
It is very annoying because I am trying to manage hand installed VMs
with Ansible. For that I want to automate SSH host keys storing in
known_hosts database. And because of this bug I can't. (ansible KIKIN
project in development).
Thank you,
BR,
Gautier HUSSON.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1670745/+subscriptions
More information about the foundations-bugs
mailing list