Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ssh bug known_hosts?
11 views
Skip to first unread message
jeremy ardley
Mar 1, 2023, 2:50:06 PM3/1/23
to
I may have found a bug in openssh.
I raise it here as the ssh mailing list is actually a newsgroup that
no-one seems to use.
I can ssh jer...@client.example.com without the issue
I have created a ~/.ssh/config file with contents
Host jeremy_client
HostName client.example.com
User jeremy
IdentityFile ~/.ssh/com.example.jeremy.id_rsa
when I ssh jeremy_client I get two issues:
1. The host ssh client is unrecognised so needs adding to the
known_hosts file
2. The known hosts file used is /etc/ssh/known_hosts rather that
~/.ssh/known_hosts - which causes a permissions error
Is this a bug or a feature?
I can solve the immediate problem by adding a line to the config entry.
Host jeremy_client
HostName client.example.com
User jeremy
IdentityFile ~/.ssh/com.example.jeremy.id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
ssh -V
OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022
--
Jeremy
I raise it here as the ssh mailing list is actually a newsgroup that
no-one seems to use.
I can ssh jer...@client.example.com without the issue
I have created a ~/.ssh/config file with contents
Host jeremy_client
HostName client.example.com
User jeremy
IdentityFile ~/.ssh/com.example.jeremy.id_rsa
when I ssh jeremy_client I get two issues:
1. The host ssh client is unrecognised so needs adding to the
known_hosts file
2. The known hosts file used is /etc/ssh/known_hosts rather that
~/.ssh/known_hosts - which causes a permissions error
Is this a bug or a feature?
I can solve the immediate problem by adding a line to the config entry.
Host jeremy_client
HostName client.example.com
User jeremy
IdentityFile ~/.ssh/com.example.jeremy.id_rsa
UserKnownHostsFile ~/.ssh/known_hosts
ssh -V
OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022
--
Jeremy
Jeffrey Walton
Mar 1, 2023, 4:50:06 PM3/1/23
to
On Wed, Mar 1, 2023 at 2:49 PM jeremy ardley <jer...@ardley.org> wrote:
>
> I may have found a bug in openssh.
>
> I raise it here as the ssh mailing list is actually a newsgroup that
> no-one seems to use.
You might give comp.security.openssh a try:
>
> I may have found a bug in openssh.
>
> I raise it here as the ssh mailing list is actually a newsgroup that
> no-one seems to use.
https://groups.google.com/g/comp.security.ssh . That is the general
user mailing list. I've always gotten an answer from the list.
Here is the bug reporting page: https://www.openssh.com/report.html .
It sounds like you should use openssh-...@mindrot.org. Archives
are available at https://marc.info/?l=openssh-unix-dev .
Jeff
Charles Curley
Mar 1, 2023, 4:50:06 PM3/1/23
to
On Thu, 2 Mar 2023 03:48:49 +0800
jeremy ardley <jer...@ardley.org> wrote:
> 2. The known hosts file used is /etc/ssh/known_hosts rather that
> ~/.ssh/known_hosts - which causes a permissions error
I am not seeing that, for either root or my regular non-root user.
jeremy ardley <jer...@ardley.org> wrote:
> 2. The known hosts file used is /etc/ssh/known_hosts rather that
> ~/.ssh/known_hosts - which causes a permissions error
You indicated you created your ~/.ssh/config as shown in your email. I
would check the configuration files in /etc/ssh.
> ssh -V
> OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Greg Wooledge
Mar 1, 2023, 5:00:06 PM3/1/23
to
On Wed, Mar 01, 2023 at 02:43:38PM -0700, Charles Curley wrote:
> On Thu, 2 Mar 2023 03:48:49 +0800
> jeremy ardley <jer...@ardley.org> wrote:
>
> > 2. The known hosts file used is /etc/ssh/known_hosts rather that
> > ~/.ssh/known_hosts - which causes a permissions error
>
> I am not seeing that, for either root or my regular non-root user.
>
> You indicated you created your ~/.ssh/config as shown in your email. I
> would check the configuration files in /etc/ssh.
It would be worth checking the permissions and ownerships.
> On Thu, 2 Mar 2023 03:48:49 +0800
> jeremy ardley <jer...@ardley.org> wrote:
>
> > 2. The known hosts file used is /etc/ssh/known_hosts rather that
> > ~/.ssh/known_hosts - which causes a permissions error
>
> I am not seeing that, for either root or my regular non-root user.
>
> You indicated you created your ~/.ssh/config as shown in your email. I
> would check the configuration files in /etc/ssh.
unicorn:~$ namei -l ~/.ssh/config
f: /home/greg/.ssh/config
drwxr-xr-x root root /
drwxr-xr-x root root home
drwxr-xr-x greg greg greg
drwxr-xr-x greg greg .ssh
-rw-r--r-- greg greg config
Either that, or something like:
unicorn:~$ ls -ld / /home ~ ~/.ssh ~/.ssh/config
drwxr-xr-x 29 root root 4096 Jan 24 07:17 //
drwxr-xr-x 14 root root 4096 Jan 11 2018 /home/
drwxr-xr-x 227 greg greg 53248 Mar 1 15:01 /home/greg/
drwxr-xr-x 3 greg greg 4096 Apr 18 2021 /home/greg/.ssh/
-rw-r--r-- 1 greg greg 525 Apr 25 2015 /home/greg/.ssh/config
I find the second one more readable, but the first one is definitely
easier to type. Either way, make sure the permissions are *correct*,
which is to say, there should not be a world-write or group-write bit
on any line of the output.
Jeffrey Walton
Mar 1, 2023, 5:00:09 PM3/1/23
to
> I may have found a bug in openssh.
> [...]
> I have created a ~/.ssh/config file with contents
>
> Host jeremy_client
> HostName client.example.com
> User jeremy
> IdentityFile ~/.ssh/com.example.jeremy.id_rsa
Does ssh_config(5) do Bash parameter expansion. That is, is the tilde
>
> Host jeremy_client
> HostName client.example.com
> User jeremy
> IdentityFile ~/.ssh/com.example.jeremy.id_rsa
(~) expanded? I don't see it listed in the man page at
https://linux.die.net/man/5/ssh_config .
Jeff
Greg Wooledge
Mar 1, 2023, 5:10:06 PM3/1/23
to
Arguments to IdentityFile may use the tilde syntax to refer to a
user's home directory or the tokens described in the TOKENS sec‐
tion.
The linux.die.net copy has similar wording, but is from an older version,
so it should not be used as an authority. If you need an online man page,
there's <http://manpages.debian.org/ssh_config> which will redirect to
a man page from the current stable release.
jeremy ardley
Mar 1, 2023, 7:50:06 PM3/1/23
to
"Specifies a file from which the user's RSA or DSA authentication
identity is read. The default is /~/.ssh/identity/ for protocol version
1, and /~/.ssh/id_rsa/ and /~/.ssh/id_dsa/ for protocol version 2.
Additionally, any identities represented by the authentication agent
will be used for authentication.
The file name may use the tilde syntax to refer to a user's home
directory or one of the following escape characters: '%d' (local user's
home directory), '%u' (local user name), '%l' (local host name), '%h'
(remote host name) or '%r' (remote user name). "
The sad part is I thought I was getting a handle on configuring openssh
using ldap and certificates. The multitude of options there say I'm
nowhere near!
--
Jeremy
Jeremy Ardley
Mar 1, 2023, 9:00:06 PM3/1/23
to
On 2/3/23 05:51, Greg Wooledge wrote:
> On Wed, Mar 01, 2023 at 02:43:38PM -0700, Charles Curley wrote:
>> On Thu, 2 Mar 2023 03:48:49 +0800
>> jeremy ardley <jer...@ardley.org> wrote:
>>
>>> 2. The known hosts file used is /etc/ssh/known_hosts rather that
>>> ~/.ssh/known_hosts - which causes a permissions error
>> I am not seeing that, for either root or my regular non-root user.
>>
>> You indicated you created your ~/.ssh/config as shown in your email. I
>> would check the configuration files in /etc/ssh.
> It would be worth checking the permissions and ownerships.
>
> unicorn:~$ namei -l ~/.ssh/config
> f: /home/greg/.ssh/config
> drwxr-xr-x root root /
> drwxr-xr-x root root home
> drwxr-xr-x greg greg greg
> drwxr-xr-x greg greg .ssh
> -rw-r--r-- greg greg config
>
-rw------- 1 jeremy jeremy 446 Mar 2 08:51 config
-rw------- 1 jeremy jeremy 2602 Dec 11 11:47 id_rsa
-rw-r--r-- 1 jeremy jeremy 567 Dec 11 11:47 id_rsa.pub
However I've found the cause of the problem, but not necessarily
resolved the bug.
For some reason on my journey /etc/ssh/ssh_config had acquired
UserKnownHostsFile /etc/ssh/ssh_known_hosts
changing to
# UserKnownHostsFile /etc/ssh/ssh_known_hosts
stops this behaviour.
--
Jeremy
(Lists)
Jeffrey Walton
Mar 1, 2023, 9:40:05 PM3/1/23
to
On Wed, Mar 1, 2023 at 8:53 PM Jeremy Ardley <jer...@ardley.org> wrote:
> [...]
>From the the ssh_config(5) man page at
https://manpages.debian.org/bullseye/openssh-client/ssh_config.5.en.html
:
GlobalKnownHostsFile
Specifies one or more files to use for the global
host key database, separated by whitespace.
The default is /etc/ssh/ssh_known_hosts,
/etc/ssh/ssh_known_hosts2.
But not setting GlobalKnownHostsFile gets you the default, which
appears to be the same as you specified in your config file.
Jeff
> [...]
> However I've found the cause of the problem, but not necessarily
> resolved the bug.
>
> For some reason on my journey /etc/ssh/ssh_config had acquired
>
> UserKnownHostsFile /etc/ssh/ssh_known_hosts
>
> changing to
>
> # UserKnownHostsFile /etc/ssh/ssh_known_hosts
That should probably be GlobalKnownHostsFile, not UserKnownHostsFile.
> resolved the bug.
>
> For some reason on my journey /etc/ssh/ssh_config had acquired
>
> UserKnownHostsFile /etc/ssh/ssh_known_hosts
>
> changing to
>
> # UserKnownHostsFile /etc/ssh/ssh_known_hosts
>From the the ssh_config(5) man page at
https://manpages.debian.org/bullseye/openssh-client/ssh_config.5.en.html
:
GlobalKnownHostsFile
Specifies one or more files to use for the global
host key database, separated by whitespace.
The default is /etc/ssh/ssh_known_hosts,
/etc/ssh/ssh_known_hosts2.
But not setting GlobalKnownHostsFile gets you the default, which
appears to be the same as you specified in your config file.
Jeff
Greg Wooledge
Mar 1, 2023, 10:00:06 PM3/1/23
to
On Thu, Mar 02, 2023 at 09:52:35AM +0800, Jeremy Ardley wrote:
> On 2/3/23 05:51, Greg Wooledge wrote:
> > unicorn:~$ namei -l ~/.ssh/config
> > f: /home/greg/.ssh/config
> > drwxr-xr-x root root /
> > drwxr-xr-x root root home
> > drwxr-xr-x greg greg greg
> > drwxr-xr-x greg greg .ssh
> > -rw-r--r-- greg greg config
> >
> My ~/.ssh files are for the most part even more restrictive
>
> -rw------- 1 jeremy jeremy 446 Mar 2 08:51 config
> -rw------- 1 jeremy jeremy 2602 Dec 11 11:47 id_rsa
> -rw-r--r-- 1 jeremy jeremy 567 Dec 11 11:47 id_rsa.pub
You are not providing enough information.
> On 2/3/23 05:51, Greg Wooledge wrote:
> > unicorn:~$ namei -l ~/.ssh/config
> > f: /home/greg/.ssh/config
> > drwxr-xr-x root root /
> > drwxr-xr-x root root home
> > drwxr-xr-x greg greg greg
> > drwxr-xr-x greg greg .ssh
> > -rw-r--r-- greg greg config
> >
> My ~/.ssh files are for the most part even more restrictive
>
> -rw------- 1 jeremy jeremy 446 Mar 2 08:51 config
> -rw------- 1 jeremy jeremy 2602 Dec 11 11:47 id_rsa
> -rw-r--r-- 1 jeremy jeremy 567 Dec 11 11:47 id_rsa.pub
The permissions of ALL THE DIRECTORIES IN THE PATH to the files matter
too.
It's an extremely common failure for someone to have, for example, the
group write bit on the /home directory (or $HOME), and for this to cause
ssh to refuse to read various files.
0 new messages