-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use skeema/knownhosts, not x/crypto/ssh/knownhosts #2212
Conversation
The e2e test introduced by this PR verifies that the command `system connection add` against an SSH server parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
064f89f
to
6599177
Compare
The e2e test introduced by this PR verifies that the command `system connection add` against an SSH server parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
The e2e test introduced by this PR verifies that the command `system connection add`, run against an SSH server, parses and updates correctly the local `known_hosts` file. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
6599177
to
f5a4be3
Compare
Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
Package [golang.org/x/crypto/ssh/knownhosts](https://pkg.go.dev/golang.org/x/crypto/ssh/knownhosts) has an issue when an SSH server has many public keys (i.e. supports multiple crypto algorithms). For instance, if the local `known_hosts` file entries don't match the first SSH server key but match other keys of the SSH server, the handshake fails with a key mismatch error. See golang/go#29286 and containers/podman#23575. Package [github.com/skeema/knownhosts](https://github.com/skeema/knownhosts) is a wrapper of `x/crypto/ssh/knownhosts` that addresses this issue. This commit replaces the usage of `x/crypto/ssh/knownhosts` in containers/common with `github.com/skeema/knownhosts`. Signed-off-by: Mario Loriedo <[email protected]>
f5a4be3
to
2564c8d
Compare
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
Signed-off-by: Mario Loriedo <[email protected]>
Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
LGTM |
Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
@containers/podman-maintainers PTAL, I have added some new podman tests that are passing with the changes included in this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
small nit but I guess that is pre existing so I can live without it
I have not looked into the detail why this is needed but I trust your investigation enough that there is no way to do this with the golang library directly so LGTM
return nil, err | ||
} | ||
keyDir := path.Dir(keyFilePath) | ||
if err := fileutils.Exists(keyDir); errors.Is(err, os.ErrNotExist) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems pointless, why check if the dir already exists. We could also just directly call mkdir and ignore ErrExist there
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. I just left as it was as it's not doing any harm (except that's hard to read with all those nested conditions...).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: l0rd, Luap99 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
These tests verify that podman successfully adds (or fails to add) a connection to an SSH server based on the entries in the `~/.ssh/known_hosts` file. In particular `system connection add` should succeed if: - there is no `know_hosts` file - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry that matches the first protocol/key returned by the SSH server - `known_hosts` has an entry for another SSH server, not for the target server It should fail if the `known_host` file has an entry for the target server that matches the protocol but not the key. Depends on containers/common#2212 Fixes containers#23575 Signed-off-by: Mario Loriedo <[email protected]>
TL;DR This PR addresses this issue. In this containers/podman PR, I have added some specific tests.
The package golang.org/x/crypto/ssh/knownhosts has an issue when an SSH server has many public keys (i.e., supports multiple crypto algorithms).
For instance, if the local
known_hosts
file entries don't match the first SSH server key but match other SSH server keys, the handshake fails with a key mismatch error.See golang/go#29286 and containers/podman#23575.
Package github.com/skeema/knownhosts is a wrapper of
x/crypto/ssh/knownhosts
that addresses this issue.This commit replaces the usage of
x/crypto/ssh/knownhosts
in containers/common withgithub.com/skeema/knownhosts
.