Issue #9613 has been updated by Nigel Kersten.
Assuming net-ssh honors ssh_config settings in /etc/ssh/ssh_config or
~/.ssh/config we can use:
<pre>
CheckHostIP
If this flag is set to ``yes'', ssh(1) will additionally check the
host IP address in the known_hosts file. This allows ssh to
detect if a host key changed due to DNS spoofing. If the option
is set to ``no'', the check will not be executed. The default
is ``yes''.
...
StrictHostKeyChecking
If this flag is set to ``yes'', ssh(1) will never automatically
add host keys to the ~/.ssh/known_hosts file, and refuses to con-
nect to hosts whose host key has changed. This provides maximum
protection against trojan horse attacks, though it can be annoy-
ing when the /etc/ssh/ssh_known_hosts file is poorly maintained or
when connections to new hosts are frequently made. This
option forces the user to manually add all new hosts. If this
flag is set to ``no'', ssh will automatically add new host keys to
the user known hosts files. If this flag is set to ``ask'', new
host keys will be added to the user known host files only after
the user has confirmed that is what they really want to do, and
ssh will refuse to connect to hosts whose host key has changed.
The host keys of known hosts will be verified automatically in all
cases. The argument must be ``yes'', ``no'', or ``ask''. The
default is ``ask''.
...
</pre>
and some combination of those should get us what we need?
----------------------------------------
Bug #9613: cloud provisioner should be forgiving if hostnames don't match
fingerprints
https://projects.puppetlabs.com/issues/9613
Author: Dan Bode
Status: Unreviewed
Priority: High
Assignee: Nigel Kersten
Category:
Target version:
Keywords:
Branch:
The unique mapping of fingerprints to hostnames can cause failures with ec2.
In ec2 it is reasonable for a multiple fingerprints to map to the same hostname
at different periods of time
I believe the solution is to set :paranoid => false , but would appreciate
feedback.
<pre>
~/devenv/pe-builder
$ [djm@tb-driver pe-builder (master)]$ time bin/pe-builder --type t1.micro
--keypair dom_rsa --keyfile ~/.ssh/id_rsa --number 10 --os rhel5
##########################################
####
#####
#####
###
#
#
###################################
#
##
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/verifiers/strict.rb:49:in
`process_cache_miss': fingerprint
66:06:8f:24:d8:70:0a:b2:98:fc:a4:8f:68:88:5d:66 does not match for
"ec2-107-20-58-18.compute-1.amazonaws.com,107.20.58.18"
(Net::SSH::HostKeyMismatch)
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/verifiers/strict.rb:38:in
`verify'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/verifiers/lenient.rb:15:in
`verify'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb:165:in
`verify_server_key'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb:68:in
`exchange_keys'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/algorithms.rb:331:in
`exchange_keys'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/algorithms.rb:172:in
`proceed!'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/algorithms.rb:163:in
`send_kexinit'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/algorithms.rb:118:in
`accept_kexinit'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/session.rb:186:in
`poll_message'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/session.rb:164:in
`loop'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/session.rb:164:in
`poll_message'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/session.rb:201:in
`wait'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/session.rb:199:in
`loop'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/session.rb:199:in
`wait'
from
/var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh/transport/session.rb:78:in
`initialize'
from /var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh.rb:183:in `new'
from /var/lib/gems/1.8/gems/net-ssh-2.1.4/lib/net/ssh.rb:183:in `start'
from
/home/djm/devenv/pe-builder/vendor/puppet-cloud-provisioner/lib/puppet/cloudpack.rb:542:in
`ssh_remote_execute'
from
/home/djm/devenv/pe-builder/vendor/puppet-cloud-provisioner/lib/puppet/cloudpack.rb:579:in
`ssh_test_connect'
from /usr/lib/ruby/1.8/timeout.rb:67:in `timeout'
from
/home/djm/devenv/pe-builder/vendor/puppet-cloud-provisioner/lib/puppet/cloudpack.rb:578:in
`ssh_test_connect'
from
/home/djm/devenv/pe-builder/vendor/puppet-cloud-provisioner/lib/puppet/cloudpack.rb:631:in
`ssh_connect'
from
/home/djm/devenv/pe-builder/vendor/puppet-cloud-provisioner/lib/puppet/cloudpack.rb:511:in
`install'
from
/home/djm/devenv/pe-builder/vendor/puppet-cloud-provisioner/lib/puppet/face/node/install.rb:13:in
`install implementation, required on Ruby 1.8'
from /usr/local/puppet/lib/puppet/interface/action.rb+eval[wrapper]:203:in
`__send__'
from /usr/local/puppet/lib/puppet/interface/action.rb+eval[wrapper]:203:in
`install'
from /home/djm/devenv/pe-builder/lib/pe-builder.rb:101:in
`run_post_install_script'
from /home/djm/devenv/pe-builder/lib/pe-builder.rb:115:in `create_config'
from /home/djm/devenv/pe-builder/lib/pe-builder.rb:51:in `run'
from /home/djm/devenv/pe-builder/lib/pe-builder.rb:45:in `initialize'
from bin/pe-builder:83:in `new'
from bin/pe-builder:83
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
