Content-Length: 237766 | pFad | https://github.com/coreos/fleet/issues/1526

6E ssh: golang/crypto/ssh prioritizes server's kex algo instead of parsing known_hosts first · Issue #1526 · coreos/fleet · GitHub
Skip to content
This repository was archived by the owner on Jan 30, 2020. It is now read-only.

ssh: golang/crypto/ssh prioritizes server's kex algo instead of parsing known_hosts first #1526

Closed
kayrus opened this issue Apr 1, 2016 · 2 comments
Closed

ssh: golang/crypto/ssh prioritizes server's kex algo instead of parsing known_hosts first #1526

kayrus opened this issue Apr 1, 2016 · 2 comments

Comments

@kayrus
Copy link
Contributor

kayrus commented Apr 1, 2016

Original issue was reported here: coreos/bugs#1186

The problem is that golang ssh implementation compares client's ServerHostKeyAlgos and server's ServerHostKeyAlgos and chooses first match depending on the order in supportedHostKeyAlgos variable:

// supportedKexAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{
        CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
        CertAlgoECDSA384v01, CertAlgoECDSA521v01,

        KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
        KeyAlgoRSA, KeyAlgoDSA,
}

If remote host had KeyAlgoRSA key before and it was written into client's .fleetctl/known_hosts, then SSH on the remote host was upgraded (i.e. ecdsa-sha2-nistp256 support was added), then crypto/ssh automatically chooses first match: KeyAlgoECDSA256 and doesn't take into consideration already existing fingerprints. This causes Failed building SSH client: ssh: handshake failed: host key mismatch error message on the fleetctl client's side.
@kayrus
Copy link
Contributor Author

kayrus commented Apr 1, 2016

OpenSSH logic:

  • load known_hosts keys
  • parse them, determine whether remote hostname/IP corresponds to the known_hosts
  • set hostkeyalgs order (order_hostkeyalgs)
  • send SSH2_MSG_KEXINIT
  • receive host's fingerprint and compare it to the entry inside known_hosts

fleetctl+golang/crypto/ssh logic:

  • send SSH2_MSG_KEXINIT
  • receive host's fingerprint and compare it to the entry inside known_hosts

@kayrus
Copy link
Contributor Author

kayrus commented Apr 1, 2016

ClientConfig struct contains HostKeyAlgorithms. We can use ParseKnownHosts crypto/ssh function to parse known_hosts and set HostKeyAlgorithms inside sshClientConfig.

Here is an example on how to parse known_hosts files https://github.com/golang/crypto/blob/master/ssh/keys_test.go#L391

@kayrus kayrus mentioned this issue Apr 1, 2016
Closed
tixxdz pushed a commit to endocode/fleet that referenced this issue Apr 1, 2016
ssh: define the list of Key Algorithms of remote hosts before handshake
f3b1dc3 
Retrieve remote host Key Algorithms from known_host if they are there
and use them to perform ssh handshake. Otherwise fallback to default
values suggested by remote.

This patch is based from a previous patch written by:
kayrus <kay.diam@gmail.com>

Resolves coreos#1526 and coreos/bugs#1186
@tixxdz tixxdz mentioned this issue Apr 1, 2016
Merged
tixxdz pushed a commit to endocode/fleet that referenced this issue Apr 1, 2016
ssh: define the list of Key Algorithms of remote hosts before handshake
d81fe84 
Retrieve remote host Key Algorithms from known_host if they are there
and use them to perform ssh handshake. Otherwise fallback to default
values suggested by remote.

This patch is based from a previous patch written by:
kayrus <kay.diam@gmail.com>

Resolves coreos#1526 and coreos/bugs#1186
mischief pushed a commit to mischief/fleet that referenced this issue Apr 5, 2016
ssh: define the list of Key Algorithms of remote hosts before handshake
70b86e4 
Retrieve remote host Key Algorithms from known_host if they are there
and use them to perform ssh handshake. Otherwise fallback to default
values suggested by remote.

This patch is based from a previous patch written by:
kayrus <kay.diam@gmail.com>

Resolves coreos#1526 and coreos/bugs#1186
hectorj2f pushed a commit to giantswarm/fleet that referenced this issue Apr 6, 2016
@hectorj2f
ssh: define the list of Key Algorithms of remote hosts before handshake
ab77314 
Retrieve remote host Key Algorithms from known_host if they are there
and use them to perform ssh handshake. Otherwise fallback to default
values suggested by remote.

This patch is based from a previous patch written by:
kayrus <kay.diam@gmail.com>

Resolves coreos#1526 and coreos/bugs#1186
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[WIP] ssh: define known_hosts key algo before handshake endocode/fleet
1 participant
@kayrus








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://github.com/coreos/fleet/issues/1526

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy