Closed chrisportela closed 5 years ago
It looks like this function only supports the old format, but it has been changed to be this hash in a newer version ssh.
Apparently this format was changed in OpenSSH > 6.7.
I have marked this as a feature request.
Thanks Daniel
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
It is still actual. Reopen, please.
Looks like this is still an issue in version 3000. As a work around I am able to use the MD5 hash but obviously that isn't ideal
This is still an issue in 2019.2.4. Here is another request to re-open this issue, please!
This has to be a security issue, because I know that, speaking for myself at least, until now (where I just figured out an acceptable work-around) we were stuck using the older less-secure SSH fingerprints. I'm sure many other people must be in the same boat.
The work-around:
Using GitHub as an example:
According to https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ the keys are:
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 (RSA)
SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA)
So we need to convert them from base64 to hexadecimal format. Starting with the RSA key:
$ echo -n 'nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8' | base64 -d 2>/dev/null | od -A n -t x1
9d 38 5b 83 a9 17 52 92 56 1a 5e c4 d4 81 8e 0a
ca 51 a2 64 f1 74 20 11 2e f8 8a c3 a1 39 49 8f
We can reformat this to something Salt can work with by removing the new line and using some sed magic:
$ echo -n 'nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8' | base64 -d 2>/dev/null | od -A n -t x1 | xargs echo | sed 's/\ *//g;s/\(..\)/\1:/g;s/:$//'
9d:38:5b:83:a9:17:52:92:56:1a:5e:c4:d4:81:8e:0a:ca:51:a2:64:f1:74:20:11:2e:f8:8a:c3:a1:39:49:8f
We can now do the same for the DSA key:
$ echo -n 'br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ' | base64 -d 2>/dev/null | od -A n -t x1 | xargs echo | sed 's/\ *//g;s/\(..\)/\1:/g;s/:$//'
6e:bf:48:8c:5b:29:9b:5b:f1:47:78:80:df:91:56:13:ee:15:4f:2c:f5:85:85:4b:20:4d:ad:d7:f0:9e:c9:64
This beats adding print
statements to the set_known_host
function in the ssh
module and hoping there was no MITM attack... but don't take my word for these answers, you can now do this yourself. It does not negate the need for a proper fix however, as I'm sure most people won't see this issue.
I came up with a function I can put into an execution module to make things easier until this is fixed (again, please re-open this)!
Tested to work in Python 2.7 and 3.7.
$ python
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from codecs import getencoder
>>> from base64 import b64decode
>>> def base64_to_hex(b64_fingerprint):
... """Returns a converted base64 string to hexadecimal"""
... def md5_hash_format(fph):
... """Adds ':' after every two characters of a hex string."""
... start = 0
... end = 2
... output = ''
... sep = ':'
... for _ in range(0, int(len(fph) / 2)):
... if start + 2 == len(fph):
... sep = ''
... output = "{0}{1}{2}".format(output, fph[start:end], sep)
... start = end
... end += 2
... return output
... fpd = b64decode(b64_fingerprint + '='* (4 - (len(b64_fingerprint) % 4)))
... # Not in Python 2.7...
... #return md5_hash_format(fpd.hex())
... return md5_hash_format(getencoder('hex_codec')(fpd)[0].decode('utf-8'))
...
>>> base64_to_hex('nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8')
'9d:38:5b:83:a9:17:52:92:56:1a:5e:c4:d4:81:8e:0a:ca:51:a2:64:f1:74:20:11:2e:f8:8a:c3:a1:39:49:8f'
>>> base64_to_hex('br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ')
'6e:bf:48:8c:5b:29:9b:5b:f1:47:78:80:df:91:56:13:ee:15:4f:2c:f5:85:85:4b:20:4d:ad:d7:f0:9e:c9:64'
>>>
Using the bash one liners I was able to correctly configure the github RSA public key using this configuration:
github.com RSA Key:
ssh_known_hosts.present:
- name: github.com
- user: root
- enc: ssh-rsa
- fingerprint: 9d:38:5b:83:a9:17:52:92:56:1a:5e:c4:d4:81:8e:0a:ca:51:a2:64:f1:74:20:11:2e:f8:8a:c3:a1:39:49:8f
I was also running into this issue.
After Github had to update their RSA SSH host key the new fingerprint in this format is:
b8:d8:95:ce:d9:2c:0a:c0:e1:71:cd:2e:f5:ef:01:ba:34:17:55:4a:4a:64:80:d3:31:cc:c2:be:3d:ed:0f:6b
I used https://github.com/saltstack/salt/issues/46152#issuecomment-625592695 to generate the fingerprint but I had to run it on a linux machine (macOS produced a shorter result)
re-open please. 3005.1 impacted
For bitbucket.org (post 2023 key rotation):
bitbucket.org:
ssh_known_hosts.present:
- enc: ssh-rsa
- fingerprint: e3:a3:92:1c:0d:51:9a:3f:04:f0:44:53:0b:ac:64:35:c9:86:3b:0f:68:17:16:2b:d1:61:7a:cd:65:bc:97:51
Generated using the one-liner from @boltronics on Ubuntu (thanks to @HeinrichFilter for pointing out running on macOS truncates the output).
$ echo -n '46OSHA1Rmj8E8ERTC6xkNcmGOw9oFxYr0WF6zWW8l1E' | base64 -d 2>/dev/null | od -A n -t x1 | xargs echo | sed 's/\ *//g;s/\(..\)/\1:/g;s/:$//'
e3:a3:92:1c:0d:51:9a:3f:04:f0:44:53:0b:ac:64:35:c9:86:3b:0f:68:17:16:2b:d1:61:7a:cd:65:bc:97:51
Feels like this issue shouldn't be closed. Lots of hoops to go through to get this to work, and it's not obvious from the Salt docs. Using Salt 3007.1.
Description of Issue/Question
Can't add default format of sha256 finger prints because
modules:ssh.py:_fingerprint()
converts remote fingerprint to a hex digest.Setup
I'm using
salt-call --local
to high state an machine I'm going to image.Here's an example of the expected state
Here's the working example
Steps to Reproduce Issue
Using
ssh-keyscan
andssh-keygen
I pulled the fingerprint for my remote git server. I was doing this because for some reason Salt thought I was using a fingerprint different from the server.I used the sha256 version so I wouldn't need to down grade to md5 and I kept getting the error. I went in to
modules > ssh.py > set_known_host
to print out what salt believed the fingerprint was vs what I had given it and discovered that my sha256 fingerprint didn't match a hex digest of the remote host's fingerprint which I couldn't getssh-keygen
to give me at all.I had to just trust that the fingerprint hex digest was correct and using that worked for adding to the known hosts file.
Here is the offending code: https://github.com/saltstack/salt/blob/fd0482b26b09cadc4fd0569184639ed92175fba6/salt/modules/ssh.py#L241-L286
By converting the sha256 fingerprint to a hex-digest it's preventing
set_known_host
's check from passing because the base64(?) version and hex digest strings aren't equal.Versions Report
I'm running 2016.11.8 because of incompatibilities we have, but I've linked to the
develop
branch's version of the issue.