Open alajmo opened 2 years ago
//cc @FiloSottile @golang/security
From https://man.openbsd.org/sshd.8:
A hostname or address may optionally be enclosed within ‘[’ and ‘]’ brackets then followed by ‘:’ and a non-standard port number.
So if the IP is enclosed with brackets []
, then it MUST be followed by a colon :
AND a non-standard port.
For anyone who needs a quick work-around for writing ipv6 entries to known_hosts files, package github.com/skeema/knownhosts@v1.2.0 now includes patched versions of Normalize
and Line
with correct ipv6 behavior, thanks to a nice contribution from @lonnywong of the @trzsz project.
github.com/skeema/knownhosts is a thin wrapper around x/crypto/ssh/knownhosts, rather than a fork. It's battle-tested and adds several improvements not found in x/crypto/ssh/knownhosts. It's designed to be a nearly-drop-in replacement; you'll just need to cast back to ssh.HostKeyCallback
if using the result of its New
directly in ssh.ClientConfig.HostKeyCallback
.
Change https://go.dev/cl/522255 mentions this issue: ssh/knownhosts: fix bracket normalisation
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
When running the above script, the line
line := knownhosts.Line(addr, key)
prints the following:(The xyz is a just a placeholder)
which I add to
/home/samir/.ssh/known_hosts
. I get the messagessh: handshake failed: knownhosts: key is unknown
as well, which is expected.What did you expect to see?
On the second re-run (with my hostkey added to known_hosts), I expect the connection to be established.
What did you see instead?
I see:
If I add the
:22
port to the IP, it works (this shouldn't work though, since it's the default port, should only work when port != 22):And it works if I remove the brackets (this is the correct way and how ssh works):
The method
Line
saysLine returns a line to add append to the known_hosts files.
, but the methodNew
doesn't support parsing theknown_hosts
file without a port number when brackets[]
are used.So it should be:
port == 22
returnabcd:abcd:abcd:abcd
port != 22
return[abcd:abcd:abcd:abcd]:33
port == 22
return127.0.0.1
port != 22
return[127.0.0.1]:33
I think the Normalize function is the culprit in some of the errors:
https://cs.opensource.google/go/x/crypto/+/bc19a97f:ssh/knownhosts/knownhosts_test.go;l=329
The test cases are:
They should be (removal of brackets on the right side):
Also, a small note, the method
Line
has a grammar error:It says
Line returns a line to add append to the known_hosts files.
, but it should say:Line returns a line to add to the known_hosts files.
, orLine returns a line to append to the known_hosts files.