StanfordSNR / guardian-agent

[beta] Guardian Agent: secure ssh-agent forwarding for Mosh and SSH
BSD 3-Clause "New" or "Revised" License
439 stars 30 forks source link

knownhosts: key mismatch error #5

Closed eminence closed 7 years ago

eminence commented 7 years ago

There are two machines in this scenario: rtr and bigbox.

On rtr:

achin@rtr ~/tmp/06 $ sga-guard achin@bigbox
DISPLAY environment variable is not set. Using terminal for user prompts.
Connecting to achin@bigbox to set up forwarding...
Password:
Forwarding to achin@bigbox setup successfully. Waiting for incoming requests...

Then on bigbox, normal ssh works:

achin@bigbox ~ $ ssh bigbox
You have old mail in folder /var/mail/achin.
achin@bigbox ~ $ exit
logout
Connection to bigbox closed.
achin@bigbox ~ $

But using sga-ssh yields this:

achin@bigbox ~ $ sga-ssh bigbox
failed to connect to bigbox:22: ssh: handshake failed: ssh: disconnect, reason 0: knownhosts: key mismatch

and here is what sga-guard is showing on rtr:

Allow achin@bigbox to run '' on achin@bigbox:22?
        1) Disallow
        2) Allow once
        3) Allow forever
        4) Allow achin@bigbox to run any command on achin@bigbox:22 forever
? Answer 2
Request by achin@bigbox to run '' on achin@bigbox:22 APPROVED by user
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ecdsa-sha2-nistp256 key sent by the remote host is
10:88:b3:2e:53:db:8a:26:72:41:5c:f8:98:fc:98:a6.
Please contact your system administrator.
Add correct host key in /home/achin/.ssh/known_hosts to get rid of this message.
Host key verification failed.

I am confused why this error is appearing because sshing from rtr to bigbox is fine w.t.g host keys:

achin@rtr ~/tmp/06 $ ssh bigbox hostname
Password:
bigbox
dimakogan commented 7 years ago

Could you please run the following command on rtr and attach the output: ssh-keygen -l -f ~/.ssh/known_hosts -E md5 -F bigbox ?

eminence commented 7 years ago
achin@rtr ~/tmp/06 $ ssh-keygen -l -f ~/.ssh/known_hosts -E md5 -F bigbox                                                                                                                                           
# Host bigbox found: line 29 
bigbox ED25519 MD5:44:47:64:19:84:3f:d3:88:f4:3a:69:15:20:c7:5e:45 
eminence commented 7 years ago

and here's the same command on bigbox:

achin@bigbox ~ $ ssh-keygen -l -f ~/.ssh/known_hosts -E md5 -F bigbox
# Host bigbox found: line 29 
bigbox ECDSA MD5:10:88:b3:2e:53:db:8a:26:72:41:5c:f8:98:fc:98:a6 
dimakogan commented 7 years ago

I see, the problem is that the known key for bixbox registered on rtr is of type ED25519, but we negotiate on ECDSA when setting up the connection. I will try creating a fix so that our client uses the existing key type from known hosts (if exists) as a first preference during cipher suite negotiation.

In the mean time, I think you can resolve the issue by installing bigbox's additional key into rtr's known_hosts file, by running the following on rtr: ssh -o UpdateHostKeys=yes bixbox (Note that this is secure, as the additional key is installed after the identity of the remote host is verified using the existing key).

Sorry for the trouble. I appreciate the feedback!

dimakogan commented 7 years ago

Fixed in 80094e514d4826d4615c89b001966961bc7abe8b: if a key for the host appears in the known_hosts file on the local machine, the type of that key will be used as a first preference in the key exchange.