pyinfra-dev / pyinfra

pyinfra turns Python code into shell commands and runs them on your servers. Execute ad-hoc commands and write declarative operations. Target SSH servers, local machine and Docker containers. Fast and scales from one server to thousands.
https://pyinfra.com
MIT License
3.93k stars 383 forks source link

SSH to CA-trusted host #838

Open pikeas opened 2 years ago

pikeas commented 2 years ago

Describe the bug

Pyinfra prompts for SSH host key verification when the host presents a valid certificate trusted by the user.

To Reproduce

$ cat ~/.ssh/known_hosts
@cert-authority server01 ssh-ed25519 <public key>

$ cat ~/.ssh/config
Host server01
    User root
    IdentityFile ~/.ssh/my_key

$ ssh server01
# works

$ pyinfra --debug server01 deploy.py
--> Loading config...
--> Loading inventory...
    [pyinfra_cli.inventory] Creating fake inventory...
    [pyinfra_cli.inventory] Checking possible group_data directory: /Users/user/dir

--> Connecting to hosts...
    [pyinfra.connectors.ssh] Connecting to: server01 ({'allow_agent': True, 'look_for_keys': True, 'hostname': 'server01', '_pyinfra_ssh_forward_agent': None, '_pyinfra_ssh_config_file': None, '_pyinfra_ssh_known_hosts_file': None, '_pyinfra_ssh_strict_host_key_checking': None, '_pyinfra_ssh_paramiko_connect_kwargs': None, 'timeout': 10})
    [pyinfra.connectors.sshuserclient.client] Loading SSH config: None
No host key for server01 found in known_hosts, do you want to continue [y/n]

Expected behavior

Pyinfra should connect without prompting for host key verification.

Meta

Pyinfra v2.2 macOS-12.3.1-arm64-arm-64bit, Python 3.10.5

Fizzadar commented 2 years ago

Unfortunately this is an upstream problem with the SSH library used by pyinfra, Paramiko: https://github.com/paramiko/paramiko/issues/771

Fizzadar commented 2 years ago

Leaving this open as it’s unresolved but relabelled as a dependency issue.

pikeas commented 2 months ago

2024 update: still broken in Paramiko but not in the same way.

https://github.com/paramiko/paramiko/issues/2320

The bad news: Paramiko breaks differently. The good news: there's a two line patch in https://github.com/paramiko/paramiko/pull/2434 that fixes this.

https://github.com/paramiko/paramiko/issues/771

Paramiko now warns with an Incorrect padding error, adds an entry for the host key, and also silently removes @cert-authority lines from ~/.ssh/known_hosts.

Anyone using PyInfra will likely have a very bad and confusing day if they're ever bitten by this - please add a warning to the docs.

pikeas commented 2 months ago

It looks like it's actually PyInfra removing @cert-authority, I've opened https://github.com/pyinfra-dev/pyinfra/issues/1209.