fleetctl appends port number in ~/.fleetctl/known_hosts

[jonboulle]

By default when generating a known_hosts file, fleet appends the port number. This is problematic for two reasons.

1. if the port number is 22 it should not be included
2. if the port number is not 22 then the ip address should be enclosed in square braces and the port should be appended afterwards (e.g. [192.168.1.1]:22). This is because IPv6 addresses utilize colons as a delimiter. For more information, man sshd - section "SSH_KNOWN_HOSTS FILE FORMAT".

[jonboulle]

@brianredbeard ptal

[jonboulle]

Actually, stand by - I'm going to rework the known hosts functionality to better match the spec.

[jonboulle]

Well, that was a fun rabbit hole. It turns out the known hosts spec is rather.. intricate, and we were barely scratching the surface of it.

This implements the vast majority of it (and adds coverage for pretty much all new code), but still a bit more cleanup to be done.

[bcwaldon]

Its like these comments read with an Australian accent...

[jonboulle]

Finnish, actually...

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/match.c?rev=1.29;content-type=text%2Fplain

[bcwaldon]

Could we keep with the style of the rest of the codebase and use double-slash comments?

[jonboulle]

OK

[bcwaldon]

Excuse me?

[jonboulle]

Patience young padawan

[bcwaldon]

Ok, should I hold off on reviewing this PR for now?

[jonboulle]

Well I'm reworking the tests, but feel free to tear into the rest.

[bcwaldon]

@jonboulle Not sure where we're at here, but I tested it out anyways:

% cat ~/.fleetctl/known_hosts
127.0.0.1:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCki6T4lAFTlJ0HzuboJoB83aiDCjDiXm2DCjg0FLsAunQrMH3Z9tEko5j7d3G/GJTdBqdhFAkMSbbS7ceJYUTkRuHLE1VXQSbyhJCeNT/Cw8rQxfi2pq45AylGzHw304IUBZxOwsnSKsK9uWK3XRMNO+1oQs0ZrPvFkiPkq7Szd0e7FkaF7RDoe4ZHPw8EONcnbhiCfFw6W1ZaCoGTFdk6B3Rn9JoGsYHsyU+42yz7oGxeFQZzUmko4xc842aAFoT9geWhsD1m0AQgrsZ/e1l73WaAiaYhPzgaHcUN2naewsfP9e6qqBvaMPTmPoy9RP3JsZREEh6NLImoo3/kPTxf

The hostname in that entry doesn't seem correct. Shouldn't it be [127.0.0.1]:2222?

[jonboulle]

You are correct. I misread net.JoinHostPort, it doesn't actually do what we want - so now we just use a direct translation from openssh.

[jonboulle]

(also, the test was wrong - fixed)

[bcwaldon]

Working as expected now, but what do you think about compatibility with the old host format? I ran both latest and this fleetctl and they ignored eachother in the known_hosts file. Maybe this patch should take into account the old host format?

% cat ~/.fleetctl/known_hosts
127.0.0.1:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCki6T4lAFTlJ0HzuboJoB83aiDCjDiXm2DCjg0FLsAunQrMH3Z9tEko5j7d3G/GJTdBqdhFAkMSbbS7ceJYUTkRuHLE1VXQSbyhJCeNT/Cw8rQxfi2pq45AylGzHw304IUBZxOwsnSKsK9uWK3XRMNO+1oQs0ZrPvFkiPkq7Szd0e7FkaF7RDoe4ZHPw8EONcnbhiCfFw6W1ZaCoGTFdk6B3Rn9JoGsYHsyU+42yz7oGxeFQZzUmko4xc842aAFoT9geWhsD1m0AQgrsZ/e1l73WaAiaYhPzgaHcUN2naewsfP9e6qqBvaMPTmPoy9RP3JsZREEh6NLImoo3/kPTxf
[127.0.0.1]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCki6T4lAFTlJ0HzuboJoB83aiDCjDiXm2DCjg0FLsAunQrMH3Z9tEko5j7d3G/GJTdBqdhFAkMSbbS7ceJYUTkRuHLE1VXQSbyhJCeNT/Cw8rQxfi2pq45AylGzHw304IUBZxOwsnSKsK9uWK3XRMNO+1oQs0ZrPvFkiPkq7Szd0e7FkaF7RDoe4ZHPw8EONcnbhiCfFw6W1ZaCoGTFdk6B3Rn9JoGsYHsyU+42yz7oGxeFQZzUmko4xc842aAFoT9geWhsD1m0AQgrsZ/e1l73WaAiaYhPzgaHcUN2naewsfP9e6qqBvaMPTmPoy9RP3JsZREEh6NLImoo3/kPTxf

[brianredbeard]

I think if it politely ignores old entries and doesn't put undue burden on
the users it should be fine. Thoughts?

On Fri, May 9, 2014 at 1:17 PM, Brian Waldon [email protected]:

Working as expected now, but what do you think about compatibility with
the old host format? I ran both latest and this fleetctl and they ignored
eachother in the known_hosts file. Maybe this patch should take into
account the old host format?

% cat ~/.fleetctl/known_hosts127.0.0.1:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCki6T4lAFTlJ0HzuboJoB83aiDCjDiXm2DCjg0FLsAunQrMH3Z9tEko5j7d3G/GJTdBqdhFAkMSbbS7ceJYUTkRuHLE1VXQSbyhJCeNT/Cw8rQxfi2pq45AylGzHw304IUBZxOwsnSKsK9uWK3XRMNO+1oQs0ZrPvFkiPkq7Szd0e7FkaF7RDoe4ZHPw8EONcnbhiCfFw6W1ZaCoGTFdk6B3Rn9JoGsYHsyU+42yz7oGxeFQZzUmko4xc842aAFoT9geWhsD1m0AQgrsZ/e1l73WaAiaYhPzgaHcUN2naewsfP9e6qqBvaMPTmPoy9RP3JsZREEh6NLImo
o3/kPTxf
[127.0.0.1]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCki6T4lAFTlJ0HzuboJoB83aiDCjDiXm2DCjg0FLsAunQrMH3Z9tEko5j7d3G/GJTdBqdhFAkMSbbS7ceJYUTkRuHLE1VXQSbyhJCeNT/Cw8rQxfi2pq45AylGzHw304IUBZxOwsnSKsK9uWK3XRMNO+1oQs0ZrPvFkiPkq7Szd0e7FkaF7RDoe4ZHPw8EONcnbhiCfFw6W1ZaCoGTFdk6B3Rn9JoGsYHsyU+42yz7oGxeFQZzUmko4xc842aAFoT9geWhsD1m0AQgrsZ/e1l73WaAiaYhPzgaHcUN2naewsfP9e6qqBvaMPTmPoy9RP3JsZREEh6NLImoo3/kPTxf

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/410#issuecomment-42708925
.

[bcwaldon]

@brianredbeard I think I agree, just wanted to have the conversation on the record. At least we don't have to worry about fleetctl ignoring host keys or something terrible like that.

[jonboulle]

Yeah, I'd rather avoid accounting for the old host format - it complicates the logic a bit, and technically it's an invalid format anyway (our bad).

[bcwaldon]

🐑 it

[bcwaldon]

btw that 🐑 it is a 🚢 it

[jonboulle]

Ship from phone.

[bcwaldon]

Like a boss