[Pkg-ltsp-devel] Bug#783606: Host not saved into known_hosts

Vagrant Cascadian vagrant at debian.org
Thu Jul 2 14:45:35 UTC 2015 

Control: clone 783606 -1
Control: retitle -1 libpam-sshauth: handle hashed entries in ssh_known_hosts
Control: tags 783606 pending

On 2015-05-06, Petter Reinholdtsen wrote:
> [Petr Šťastný]
>> I just dug more deeply into this problem.
>>
>> First problem: I found that pam_sshauth reads
>> /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I
>> was not able to figure auth which known_hosts file is used. I had to
>> have a look into source code.
>
> Good to hear that it is reading the global file.
>
>> Second problem: pam_sshauth seems not to write anything into
>> /etc/ssh/ssh_known_hosts although manual page states that "If
>> contacting a host for which we don't have an entry in known_hosts,
>> ask, via the pam prompts, if you'd like to trust this host, and add it
>> to your known_hosts file.  The default will be to fail the
>> authentication." I interpret this information as it should add the
>> host into ssh_known_hosts when I say "yes". But there is nothing about
>> saving the host key in pam_sshauth's source code.
>
> Good to see that it is not writing in the global file.

Agreed.

> I suspect it
> should be made clear in the documentation.  That global file should be
> updated "out of band" like you describe here:

Updated the pam_sshauth manpage in bzr to point to the sshd manpage
which describes how to update ssh_known_hosts.


>> Third and main problem: pam_sshauth does not work with hashed
>> known_hosts entries, which is default behavior in Debian Jessie (at
>> least, I don't know the situation in previous releases).
>>
>> If I create /etc/ssh/ssh_known_hosts manually using the following
>> command, it works:
>>
>> ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts
>>
>> But this (which is Debian Jessie default) does not work (host
>> name/address output is hashed) - pam_sshauth ignore these entries:
>>
>> ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts
>
> I guess this is the real missing feature here.  The pam module should
> understand the same global known_hosts file as the ssh client.

Cloned bug for this issue.


> I would also suggest to change the documentation to document that the
> ssh host to use MUST be listed in /etc/ssh/ssh_known_hosts, and remove
> the prompt about adding the host key to a file.

Documented in bzr, will be included in next upload.


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ltsp-devel/attachments/20150702/1ee9ca2a/attachment.sig>

More information about the Pkg-ltsp-devel mailing list