The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #21811

Wrong permissions for /etc/ssh/ssh_known_hosts

Added by Mark Ruys almost 3 years ago. Updated almost 3 years ago.

Status:DuplicateStart date:
Priority:NormalDue date:
Assignee:Charlie Sharpsteen% Done:

0%

Category:ssh
Target version:-
Affected Puppet version:3.2.2 Branch:
Keywords:ssh_known_hosts permissions

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

When I apply:

sshkey { "${fqdn}_ecdsa-sha2-nistp256":
    host_aliases => [ "$fqdn", "$hostname", "$ipaddress" ],
    type         => ecdsa-sha2-nistp256,
    key          => $sshecdsakey,
}

the generated line is:

app01.cluster.peercode.nl_ecdsa-sha2-nistp256,app01.cluster.peercode.nl,app01,10.243.0.61 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDe0Ij3EUAUuZd3PRAUWSQk/Rc/uJQEQNnIlfFC9VPCPw8HRHr/ZBYBKwt/ucskE9+9NUVpNcEtSSZD7kiBQdoM=

This is not accepted by ssh, as it still ask to confirm the host identity. It then inserts into ~/.ssh/know_hosts two lines:

|1|nKfBJdWYK8pcfw5uYDFbEjwinek=|i4xCR6M97ohkW2QX2EP4x6BrGOI= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDe0Ij3EUAUuZd3PRAUWSQk/Rc/uJQEQNnIlfFC9VPCPw8HRHr/ZBYBKwt/ucskE9+9NUVpNcEtSSZD7kiBQdoM=
|1|AFKXXOXTMqb3s7xFZjIXMhLFgvw=|7Tj2HonmX9r//yTA0wm/tAcYXPw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDe0Ij3EUAUuZd3PRAUWSQk/Rc/uJQEQNnIlfFC9VPCPw8HRHr/ZBYBKwt/ucskE9+9NUVpNcEtSSZD7kiBQdoM=

Ubuntu 12.04 OpenSSH 5.9


Related issues

Duplicates Puppet - Bug #4145: sshkey resource created /etc/ssh/ssh_known_hosts mode 0600 Accepted 07/06/2010

History

#1 Updated by Charlie Sharpsteen almost 3 years ago

  • Status changed from Unreviewed to Needs More Information
  • Assignee set to Mark Ruys

The generated host key entry appears to match the format described by the “SSH_KNOWN_HOSTS FILE FORMAT” section of the sshd man page. The entries that are being created by ssh are using the “hashed form” for hostnames.

I suspect what is happening is that your ssh commend is not using an address that matches either the resource name or one of the host_aliases that you have provided. For example, if I define the following resource for the bitbucket.org key:

sshkey { 'bitbucket.org':
  ensure => 'present',
  type   => 'ssh-rsa',
  key    => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=='
}

I get the following /etc/ssh/known_hosts file:

# HEADER: This file was autogenerated at Wed Jul 17 17:37:23 +0000 2013
# HEADER: by puppet.  While it can still be managed manually, it
# HEADER: is definitely not recommended.
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==

Testing the connection, I see that the bitbucket.org address get resolved to 131.103.20.168 which is automatically added to the known_hosts file:

# ssh git@bitbucket.org
Warning: Permanently added the RSA host key for IP address '131.103.20.168' to the list of known hosts.
PTY allocation request failed on channel 0
conq: authenticated via a deploy key.

                                     You can use git or hg to connect to Bitbucket. Shell access is disabled.
                                                                                                             Connection to bitbucket.org closed.

However, if I try connecting directly to 131.103.20.168, I get asked to confirm the host identity:

# ssh git@131.103.20.168
The authenticity of host '131.103.20.168 (131.103.20.168)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '131.103.20.168' (RSA) to the list of known hosts.
PTY allocation request failed on channel 0
conq: authenticated via a deploy key.

                                     You can use git or hg to connect to Bitbucket. Shell access is disabled.
                                                                                                             Connection to 131.103.20.168 closed.

Are your ssh commands using a different address than the resource name or host_aliases defined in the sshkey?

#2 Updated by Mark Ruys almost 3 years ago

  • Status changed from Needs More Information to Needs Decision

Okay, my problem has nothing to do with /etc/ssh/ssh_known_hosts having hashed or non-hashed hostnames. After some more investigation, the problem appeared to be that Puppet’s sshkey resource type creates a /etc/ssh/ssh_known_hosts file with mode permission 600. Hence the ssh process, which runs as the user currently logged in, can’t read this file and asks for permission to store a new host key in ~/.ssh/known_hosts.

Puppet should apply mode 644 on /etc/ssh/ssh_known_hosts and as I see it, this is a bug.

#3 Updated by Charlie Sharpsteen almost 3 years ago

  • Subject changed from Wrong format /etc/ssh/ssh_known_hosts for ecdsa-sha2-nistp256 keys to Wrong permissions for /etc/ssh/ssh_known_hosts
  • Status changed from Needs Decision to Duplicate
  • Assignee changed from Mark Ruys to Charlie Sharpsteen
  • Keywords changed from ssh to ssh_known_hosts permissions

Mark Ruys wrote:

Puppet should apply mode 644 on /etc/ssh/ssh_known_hosts and as I see it, this is a bug.

Yes it is. In fact, a bug that we’ve had open for way too long: #4145.

As a workaround, one could define a File resource to manage permissions on /etc/ssh/ssh_known_hosts.

Also available in: Atom PDF