Control: clone 783606 -1 Control: retitle -1 libpam-sshauth: handle hashed entries in ssh_known_hosts Control: tags 783606 pending
On 2015-05-06, Petter Reinholdtsen wrote: > [Petr Šťastný] >> I just dug more deeply into this problem. >> >> First problem: I found that pam_sshauth reads >> /etc/ssh/ssh_known_hosts, which is not mentioned in manual page and I >> was not able to figure auth which known_hosts file is used. I had to >> have a look into source code. > > Good to hear that it is reading the global file. > >> Second problem: pam_sshauth seems not to write anything into >> /etc/ssh/ssh_known_hosts although manual page states that "If >> contacting a host for which we don't have an entry in known_hosts, >> ask, via the pam prompts, if you'd like to trust this host, and add it >> to your known_hosts file. The default will be to fail the >> authentication." I interpret this information as it should add the >> host into ssh_known_hosts when I say "yes". But there is nothing about >> saving the host key in pam_sshauth's source code. > > Good to see that it is not writing in the global file. Agreed. > I suspect it > should be made clear in the documentation. That global file should be > updated "out of band" like you describe here: Updated the pam_sshauth manpage in bzr to point to the sshd manpage which describes how to update ssh_known_hosts. >> Third and main problem: pam_sshauth does not work with hashed >> known_hosts entries, which is default behavior in Debian Jessie (at >> least, I don't know the situation in previous releases). >> >> If I create /etc/ssh/ssh_known_hosts manually using the following >> command, it works: >> >> ssh-keyscan X.X.X.X > /etc/ssh/ssh_known_hosts >> >> But this (which is Debian Jessie default) does not work (host >> name/address output is hashed) - pam_sshauth ignore these entries: >> >> ssh-keyscan -H X.X.X.X > /etc/ssh/ssh_known_hosts > > I guess this is the real missing feature here. The pam module should > understand the same global known_hosts file as the ssh client. Cloned bug for this issue. > I would also suggest to change the documentation to document that the > ssh host to use MUST be listed in /etc/ssh/ssh_known_hosts, and remove > the prompt about adding the host key to a file. Documented in bzr, will be included in next upload. live well, vagrant
signature.asc
Description: PGP signature
