search

esnet / netshell

Kernel and companion software that support ENOS applications (NOT ACTIVELY MAINTAINED)
Other
6 stars 1 forks source link

New SSH host key generated on every startup #27

Closed bmah888 closed 8 years ago

bmah888 commented 8 years ago

The SSH server in netshell seems to forget its host key on every Karaf startup and generates a new one. This results in SSH clients getting confused because the host key keeps changing on them, and they continually warn of MITM attacks on the first SSH login attempt to a new netshell process.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
SHA256:x42TxDCLskHu6EJOnzeTAIPJjJSjjzufsU+xSXhFrPk.
Please contact your system administrator.
Add correct host key in /Users/bmah/.ssh/known_hosts to get rid of this message.
Offending DSA key in /Users/bmah/.ssh/known_hosts:79
DSA host key for [localhost]:8000 has changed and you have requested strict checking.
Host key verification failed.

Examination of the logs reveals a possible cause, that the SSH daemon is not, for some reason, able to read a previously-generated host key that is saved in a file:

2016-04-26 09:28:57,158 | WARN  | NioProcessor-2   | SimpleGeneratorHostKeyProvider   | 175 - org.apache.sshd.core - 0.14.0 | Unable to read key /Users/bmah/.ssh/netshell-hostkey.ser: java.lang.ClassNotFoundException: org.bouncycastle.jcajce.provider.asymmetric.dsa.BCDSAPrivateKey
2016-04-26 09:28:57,159 | INFO  | NioProcessor-2   | SimpleGeneratorHostKeyProvider   | 175 - org.apache.sshd.core - 0.14.0 | Generating host key...

The above outputs were taken on a netshell integrated with ODL. This bug has existed for many months, it is not new behavior.

bmah888 commented 8 years ago

On the other hand this bug might be manifesting itself slightly differently now compared to the past, from the log file snippets above it appears that netshell thinks it's running in standalone mode, which is a relatively recent addition. See reference to /Users/bmah/.ssh/netshell-hostkey.ser.

bmah888 commented 8 years ago

@lomaxfrog suggested that the problem is that standalone mode defaults to true. If we put "standalone":"false" in the configuration file, this problem doesn't occur. We've agreed that I'll change the default to false.

bmah888 commented 8 years ago

The work is done, but re-opening it to get it into the Done pipeline.