You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2012/05/25 16:20:24 UTC
[jira] [Created] (KARAF-1506) Check host keys when connecting to an
ssh server using bin/client and ssh:ssh
Guillaume Nodet created KARAF-1506:
--------------------------------------
Summary: Check host keys when connecting to an ssh server using bin/client and ssh:ssh
Key: KARAF-1506
URL: https://issues.apache.org/jira/browse/KARAF-1506
Project: Karaf
Issue Type: Improvement
Reporter: Guillaume Nodet
Fix For: 3.0.0
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403915#comment-13403915 ]
Guillaume Nodet commented on KARAF-1506:
----------------------------------------
I think it would be better to have the user asked for a confirmation, else it's still a security leak.
So when we hit an unknown key, we should print the key and ask the user to confirm it before storing it.
Also, error messages may be better printed to System.err in red (using Jansi).
Last, I think the ssh stuff is mostly used to communicate between karaf instances, so I wonder if the known hosts file storage would be better placed inside the etc/ folder, because if you remove your karaf installation, the key will have changed and you'll have to delete your known host keys very often at dev time.
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Christian Schneider (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403932#comment-13403932 ]
Christian Schneider commented on KARAF-1506:
--------------------------------------------
I typically prefer to not have commands ask stuff as it prevents scripting to work nicely. We could have an option to control this of course. Either -i for interactive or -q for quiet.
So that depends if the default should be to ask or not to ask.
Printing to System.err makes sense. I will do that. I do not like the ansi stuff to much. I think it is quite overused at karaf. I think instead of writing ansi chars in the System.err.rpintln we should rather make all that is printed to System.err red. Is that possible? I think any Error should be highlighted.
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Christian Schneider (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403907#comment-13403907 ]
Christian Schneider commented on KARAF-1506:
--------------------------------------------
Just committed the impl. @Guillaume can you review?
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Christian Schneider (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403983#comment-13403983 ]
Christian Schneider commented on KARAF-1506:
--------------------------------------------
I slightly prefer to silently acknowledge as it helps scripting. So I will add the -i option to make ssh:ssh ask for confirmation
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Christian Schneider (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13404547#comment-13404547 ]
Christian Schneider commented on KARAF-1506:
--------------------------------------------
After experimenting a bit with the -i option I switched to using -q as I think almost no one would explicitly use -i so -q is the more secure choice.
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Christian Schneider (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christian Schneider reassigned KARAF-1506:
------------------------------------------
Assignee: Christian Schneider
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Christian Schneider (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christian Schneider resolved KARAF-1506.
----------------------------------------
Resolution: Fixed
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Christian Schneider (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13402895#comment-13402895 ]
Christian Schneider commented on KARAF-1506:
--------------------------------------------
To implement this we need to create a ServerKeyVerifier impl and inject it into the ssh client. The implementation should behave similar to the normal ssh client on unix. One question is where to store the accepted server keys. On unix we could store them in the user dir where normal ssh stores them. Another option is in the etc dir of karaf.
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (KARAF-1506) Check host keys when connecting to
an ssh server using bin/client and ssh:ssh
Posted by "Guillaume Nodet (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KARAF-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403981#comment-13403981 ]
Guillaume Nodet commented on KARAF-1506:
----------------------------------------
Red color isn't really important, it was just a suggestion to be more homogeneous ... but that can be revisited in a different jira.
I agree an option is a good idea for automatically acknowledging hosts. Not sure what the default should be: the current behavior is obviously to not confirm, so we could keep that one, or go for a safer one, I don't have any strong opinion on that.
> Check host keys when connecting to an ssh server using bin/client and ssh:ssh
> -----------------------------------------------------------------------------
>
> Key: KARAF-1506
> URL: https://issues.apache.org/jira/browse/KARAF-1506
> Project: Karaf
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Christian Schneider
> Fix For: 3.0.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira