[
https://issues.apache.org/jira/browse/SSHD-852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16656411#comment-16656411
]
Stefan Verhoeven commented on SSHD-852:
---------------------------------------
The documentation at
[https://man.openbsd.org/sshd.8#SSH_KNOWN_HOSTS_FILE_FORMAT] does not go in the
hash calculation that clearly, it mentions the format for clear text entries,
but talks about hostnames for hashes.
I did notice the `ssh-keyscan` uses just the hostname as hash input, by using
[https://security.stackexchange.com/questions/56268/ssh-benefits-of-using-hashed-known-hosts]
to verify hash manually, so OpenSSH is not consistent with itself.
When the Apache ssh client adds a hashed known entry
([https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=blob;f=sshd-core/src/main/java/org/apache/sshd/client/keyverifier/KnownHostsServerKeyVerifier.java;h=c4cb849b6007b905919417fa0717e0f42d7bc463;hb=HEAD#l702)]
it only uses the hostname. This will make Apache ssh client not trust the hash
it added itself. So this should be changed to also use `[host]:port` format
when port!=22.
> Verification fails for hashed known host entry on non standard port generated
> by OpenSSH client
> -----------------------------------------------------------------------------------------------
>
> Key: SSHD-852
> URL: https://issues.apache.org/jira/browse/SSHD-852
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.1.1
> Environment: Linux Mint 19
> Reporter: Stefan Verhoeven
> Assignee: Goldstein Lyor
> Priority: Minor
> Fix For: 2.1.1
>
> Attachments: ConnectToNonDefaultPortTest.java
>
>
> The Apache SshClient is unable to verify a known host entry that was made by
> the OpenSSH client when the entry is on a port other than 22.
>
> I get the following exception
> {code:java}
> org.apache.sshd.common.SshException: Server key did not validate
> at
> org.apache.sshd.client.session.AbstractClientSession.checkKeys(AbstractClientSession.java:440)
> ...{code}
>
> The OpenSSH client will create a hash for `[host]:port` while Apache
> SshClient will check hashed entries for `host` (see
> https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=blob;f=sshd-common/src/main/java/org/apache/sshd/client/config/hosts/KnownHostEntry.java;h=91d61842373bb322b09198f551d6dfd095554677;hb=HEAD#l130[).|https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=blob;f=sshd-common/src/main/java/org/apache/sshd/client/config/hosts/KnownHostEntry.java;h=91d61842373bb322b09198f551d6dfd095554677;hb=HEAD#l130.]
> This difference will cause the correct known host entry to be marked as not
> a match which in turn causes the exception.
>
> The error can be reproduced by setting up the a SSH server
> {code:java}
> rm ~/.ssh/known_hosts
> docker run -d -p 2222:22 nlesc/xenon-ssh
> # Prime known hosts with hash entry, password=javagat
> ssh xenon@localhost -p 10022 hostname
> {code}
> and then running the attached test.
>
> I created a fix and tests at
> https://github.com/apache/mina-sshd/compare/master...NLeSC:hashed-known-host-port
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
