Bug#922314: python3-x2gobroker: insecure default SSH host key policy

To: submit@bugs.debian.org
Subject: Bug#922314: python3-x2gobroker: insecure default SSH host key policy
From: Linnea Skogtvedt <linnea@linuxavdelingen.no>
Date: Thu, 14 Feb 2019 14:46:41 +0100
Message-id: <[🔎] 1f3950ba-ede5-4e62-69d3-6b2e3d76ee31@linuxavdelingen.no>
Reply-to: Linnea Skogtvedt <linnea@linuxavdelingen.no>, 922314@bugs.debian.org

Package: python3-x2gobroker
Version: 0.0.4.0-3

The x2gobroker/agent.py source file contains the following lines in the
_call_remote_broker_agent function:

elif 'host_key_policy' not in remote_agent:
        remote_agent['host_key_policy'] = paramiko.WarningPolicy()

This overrides the paramiko SSH library default which is RejectPolicy. I
believe that should be the default in python3-x2gobroker as well,
because it's the expected default in SSH clients and libraries, and
because the (indirect) caller in broker/base_broker.py does not set a
policy.

Reply to:

Prev by Date: Bug#922293: libxcomp3 must use -lpthread or -pthread (undefined symbol: pthread_key_create)
Next by Date: Bug#922293: libxcomp3 must use -lpthread or -pthread (undefined symbol: pthread_key_create)
Previous by thread: Processed: Re: Bug#922293: libxcomp3 must use -lpthread or -pthread (undefined symbol: pthread_key_create)
Next by thread: Bug#922326: Use background image file that is available on stretch and buster
Index(es):
- Date
- Thread