Bug#991797: the distributed ssh_config
On Mon, Aug 02, 2021 at 11:40:02AM +0200, Frank-Michael Fischer wrote:
> *# UserKnownHostsFile ~/.ssh/known_hosts.d/%k*
That's not actually the default though; upstream seems to have added
that *comment* to the distributed ssh_config merely as an example. The
actual code that sets the default behaviour looks like this:
if (options->num_user_hostfiles == 0) {
options->user_hostfiles[options->num_user_hostfiles++] =
xstrdup(_PATH_SSH_USER_HOSTFILE);
options->user_hostfiles[options->num_user_hostfiles++] =
xstrdup(_PATH_SSH_USER_HOSTFILE2);
}
And the corresponding macro definitions for that are:
/*
* Per-user file containing host keys of known hosts. This file need not be
* readable by anyone except the user him/herself, though this does not
* contain anything particularly secret.
*/
#define _PATH_SSH_USER_HOSTFILE "~/" _PATH_SSH_USER_DIR "/known_hosts"
/* backward compat for protocol 2 */
#define _PATH_SSH_USER_HOSTFILE2 "~/" _PATH_SSH_USER_DIR "/known_hosts2"
I also tested this in a clean Debian unstable container image, and
strace proves that ssh is looking at ~/.ssh/known_hosts by default:
212 openat(AT_FDCWD, "/home/cjwatson/.ssh/known_hosts", O_RDONLY) = -1 ENOENT (No such file or directory)
212 openat(AT_FDCWD, "/home/cjwatson/.ssh/known_hosts2", O_RDONLY) = -1 ENOENT (No such file or directory)
212 openat(AT_FDCWD, "/etc/ssh/ssh_known_hosts", O_RDONLY) = -1 ENOENT (No such file or directory)
212 openat(AT_FDCWD, "/etc/ssh/ssh_known_hosts2", O_RDONLY) = -1 ENOENT (No such file or directory)
> There is another bug in the default settings:
>
> Without adding "hmac-sha2-256" this way "MACs
> hmac-md5,hmac-sha1,hmac-sha2-256,umac-64@openssh.com" ssh does not connect
> to any of my own sshd servers on Debian 10, Ubuntu 18.04 and 20.04 and
> Oracle Linux 8.
Again, the commented-out values in ssh_config are merely comments and
are not actually the defaults. (You would have to ask upstream for why
the commented-out values aren't in sync there, but that would at most be
a documentation error, not incorrect defaults.) "man ssh_config"
describes the actual default for MACs, which is:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: