search

ployground / ploy

A tool to manage servers through a central configuration. Plugins allow provisioning, configuration and other management tasks.
http://ploy.readthedocs.org
BSD 3-Clause "New" or "Revised" License
78 stars 15 forks source link

Fingerprint type from public key #43

Closed tehfink closed 8 years ago

tehfink commented 8 years ago

Thanks for a great project! According to the docs:

fingerprint (required) The ssh fingerprint of the server. If set to ask then manual interactive verification is enabled. If set to ignore then no verification is performed at all! You can also point this to a public ssh host key file to let the fingerprint be extracted automatically.

After setting the following in ploy.conf:

fingerprint = /path/to/my/key.pub

Then running ploy ssh jailhost results in the following error:

…
ERROR: Couldn't validate fingerprint for ssh connection.
ERROR: Fingerprint doesn't match for [x.x.x.x] (got xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx, expected SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
ERROR: Is the instance finished starting up?

How can one change the type of fingerprinting of the public key from SHA256?

Also according to the docs:

ssh-key-filename Location of private ssh key to use.

However, according to this comment, ssh-key-filename should be used with a public key? https://github.com/ployground/bsdploy/issues/24#issuecomment-50225565 Following this advice results in another error:

ERROR: not a valid EC private key file

I understand that this error might be due to another bug in Paramiko: https://github.com/paramiko/paramiko/issues/521

fschulze commented 8 years ago

The ssh-key-filename comment might have been a brain fart. It is the filename of a privat key. It's the equivalent of the -i option of ssh.

This:

ERROR: Fingerprint doesn't match for [x.x.x.x] (got xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx, expected SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)

Is most likely due to the changed output in newer ssh-keygen versions. I thought I worked on that issue before, but it might be in a local branch. I hope to look into it soon, but can't promise that at the moment.

fschulze commented 8 years ago

This is fixed in ploy 1.3.0.

igalic commented 7 years ago

I'm still seeing this error in ploy 1.3.1

ERROR: Failed to connect to plain-instance:meenix (207.154.239.110)
ERROR: username: 'freebsd'
ERROR: port: 22
ERROR: Couldn't validate fingerprint for ssh connection.
ERROR: Fingerprint doesn't match for 207.154.239.110 (got ['24:d0:a1:37:38:88:5e:ac:c0:e7:bf:31:40:75:63:0f'], expected: ['9e:5a:5d:3f:52:a3:bf:2b:6e:a0:34:f7:e5:20:11:af'])
ERROR: Is the server finished starting up?
(bsdploy)  bsdploy  ǃ  ~/s/m/meenix  ploy --version                                                                                 (1) (902ms) 
bsdploy 2.2.0 (/home/igalic/src/me/meenix/bsdploy/lib/python2.7/site-packages)
ploy 1.3.1 (/home/igalic/src/me/meenix/bsdploy/lib/python2.7/site-packages)
ploy-ansible 1.3.2 (/home/igalic/src/me/meenix/bsdploy/lib/python2.7/site-packages)
ploy-ezjail 1.4.0 (/home/igalic/src/me/meenix/bsdploy/lib/python2.7/site-packages)
ploy-fabric 1.1.0 (/home/igalic/src/me/meenix/bsdploy/lib/python2.7/site-packages)
(bsdploy)  bsdploy  ~/s/m/meenix

or is this, again, a regression?

fschulze commented 7 years ago

Did you check the fingerprints manually to see if they match? So far I haven't seen this issue anymore. Which OS versions do you use?

igalic commented 7 years ago

Client:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.10
Release:        16.10
Codename:       yakkety

jailhost: FreeBSD meenix 11.0-RELEASE-p8 FreeBSD 11.0-RELEASE-p8 #0: Wed Feb 22 06:12:04 UTC 2017 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64

I don't know how to compare the keys (i.e.: how to get the hex representation), so here's ssh-keyscan:

# 207.154.239.110:22 SSH-2.0-OpenSSH_7.2 FreeBSD-20160310
207.154.239.110 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFhL2G2N0tb4MH3icV7Cewhd/Cr3rvA8O+Sa5iabxyapMlxk9PezfHoPQo5cYia7iojMALVxr9XEAqnJnYXE4jVsZnXPRFAdCc62RGbHqIuoVJ2WGi0mS4AYKT52OQoj8m9+5jDloLL3vOyWpLiiHK00RCTI6kAuVtuReKEOo5AswBUeRHVGNvF0/gyWWD0AP5gVyeEU/8mjP6Wi6pSPQ+ijAAGjHrrWeme3htTocd59OCMTXnxPBPUte1fSMe9oMeP6Rczqmus1IpXqK+n7uh8nOug2/W7cf1fI4/x1MQ2X/1XpT6F8MVGjNIHFijtD3O2SVTQPj6baOMz5Xnr8kJ
# 207.154.239.110:22 SSH-2.0-OpenSSH_7.2 FreeBSD-20160310
207.154.239.110 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLcBsYLIeinjct1u1IyuOMeI7TfsgL5D2QrKFxcofWIfs0sNCUGueLP3ia1C25bo7AlWoSnSUzVKaou3ZRWoGyk=
# 207.154.239.110:22 SSH-2.0-OpenSSH_7.2 FreeBSD-20160310
207.154.239.110 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdL0xwCo0Akax5CFVQqqkUsfBVTgvJszNdEBXqoX6rl
fschulze commented 7 years ago

Your rsa key matches:

% ssh-keygen -lf rsa.pub -E md5    
2048 MD5:24:d0:a1:37:38:88:5e:ac:c0:e7:bf:31:40:75:63:0f 207.154.239.110 (RSA)

Do you have 9e:5a:5d:3f:52:a3:bf:2b:6e:a0:34:f7:e5:20:11:af in your ploy.conf, or is it using an automatically generated key from bootstrap? If so, look for *.pub in your ploy folder structure and check them with ssh-keygen like above. If one matches, report what kind of key matched (RSA, etc).

I should add more logging for the ssh stuff.