search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.19k stars 1.11k forks source link

Multi-machine support for known ssh keys based on machines.d json IP/host address #13094

Open mckenziec opened 4 years ago

mckenziec commented 4 years ago

Page: Dashboard mainly Version: 194

"The ID can be a human readable name or an IP address or any other unique value, and is shown in the web interface until connecting to it the first time, at which point the web interface will show the machine's host name."

Cockpit (or something) is using the machine.d remote server ID as the known ssh key ID lookup.

When adding a new server to machines.d, the json key name must match the ssh key name in the /etc/ssh/ssh_known_hosts file, otherwise the machine will remain untrusted.

I didn't see this issue anywhere, and I now know how to make things work, but the docs should be updated at least to capture this.

Reproduction steps:

1) Add a new server to a cockpit instance. Accept the ssh key finger print. Server gets added fine. All looks good.

2) Observe the ssh_known_hosts file using IP address (or hostname):
cat /etc/ssh/ssh_known_hosts
192.168.177.171 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAS3iZQ3j/vKikxWsuxW/kMevwmem3TawlJvq5skg0Lo

3) Observe machines.d file:
cat /etc/cockpit/machines.d/99-webui.json
{
  "testy.acme.com" : {
    "visible" : false,
    "color" : "rgb(103, 211, 0)",
    "address" : "testy.acme.com"
  },
  "192.168.177.171" : {
    "visible" : true,
    "color" : "rgb(211, 158, 0)",
    "address" : "192.168.177.171"
  }
}

The easiest way to cause the problem is to edit /etc/cockpit/machines.d/99-webui.json and change the ID from your server IP/hostname to anything else. Then reload cockpit. You will not be able to connect to the 2nd machine. e.g.

{
  "testy.acme.com" : {
    "visible" : false,
    "color" : "rgb(103, 211, 0)",
    "address" : "testy.acme.com"
  },
  "testo" : {
    "visible" : true,
    "color" : "rgb(211, 158, 0)",
    "address" : "192.168.177.171"
  }
}

Why is this an issue? Well it seems like the ID and address aren't being used for the expected functions. I would expect that the address is used for connecting to the remote sshd server, and it would also be used for identifying the ssh_known_hosts entry to trust.

When updating your own machines.d json file, it's important to make sure the ID matches whatever key you stick in ssh_known_hosts, which will be the same as what goes in address anyways if you're using ssh-keyscan to automatically grab the remote server's key. When you're trying to import the remote server's key, it's not going to be obvious that the entry must match the ID, not the address for this bit. I'm sure the address is used elsewhere.

1) Add a new remote server:
vi /etc/cockpit/machines.d/testo.json
{
  "192.168.177.172" : {
    "visible" : true,
    "color" : "rgb(211, 158, 0)",
    "address" : "192.168.177.172"
  }
}

2) Import the remote server's key (something like):
sudo ssh-keyscan -t ssh-ed25519 192.168.177.171 >> /etc/ssh/ssh_known_hosts 

3) Reload cockpit. Enjoy the 2nd host.

Works! But always have the ID and address match.

marusak commented 1 year ago

Just tried and this nicely reproduces. Now that I tried it I must say it is annoying me! :laughing: I will take a quick look if I can find the issue in the code base.