Re: Alioth upgraded
Hi,
Frank Küster <frank@debian.org> wrote:
> Same here.
I found what happens.
~ % dpkg -s ssh |grep Version frn@gluck
Version: 10:3.9p1-2.dsa.3
~ % dpkg -s ssh |grep Version flo@florent
Version: 1:4.3p2-9
It seems the ssh version on gluck is too old to understand hashed host
names in known_hosts, such as:
|1|5W8A6H3T2xcX9BXp9f+LacthpKI=|Yxvk73qsjH9u0nXmMeaqXr+Yd/g= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxf94wqBiDnCMk4eAlEHpbG3bg2hfRd+cDfJ2+5bGvefBnXFIJLSUmnc43G0wCLI554wfAu1b9ONkzBKuaBIWV6o5tbasu0pHtWKP6oBwLu5ILIF5MT+5wBQxiX2VxpqR6cl0lBNTOSTjua+u9VKCqJTB4tmnOkChwdOI5yP6hxM=
which is my entry corresponding to alioth.debian.org.
And when I run:
scp frn@gluck.debian.org:.zsh{rc,env} frn@alioth.debian.org:
the scp on florent runs *on gluck* through the ssh tunnel another scp
command for each of the specified files to copy it to alioth.
Since scp on gluck is old, it doesn't understand the above line telling
about alioth's RSA key, therefore it doesn't recognize alioth.
So, I did an ssh to gluck and from there an ssh to alioth. This prompted
me whether to accept alioth's RSA key, given its fingerprint. After
checking the fingerprint, I accepted, and this added that line to my
~/.ssh/known_hosts on gluck:
alioth.debian.org,alioth,217.196.43.134 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxf94
wqBiDnCMk4eAlEHpbG3bg2hfRd+cDfJ2+5bGvefBnXFIJLSUmnc43G0wCLI554wfAu1b9ONkzBKuaBIW
V6o5tbasu0pHtWKP6oBwLu5ILIF5MT+5wBQxiX2VxpqR6cl0lBNTOSTjua+u9VKCqJTB4tmnOkChwdOI
5yP6hxM=
i.e., this time, the host name is *not* hashed. This seems to be the
only useful form for the scp version on gluck. I then tried again to
run:
scp frn@gluck.debian.org:.zsh{rc,env} frn@alioth.debian.org:
from my home computer. It failed again, but for a different reason:
~ % scp frn@gluck.debian.org:.zsh{rc,env} frn@alioth.debian.org: flo@florent
Permission denied (publickey,keyboard-interactive).
lost connection
Permission denied (publickey,keyboard-interactive).
lost connection
~ %
After turning verbose output mode on, I found that scp sshes sucessfully
to gluck, but it's the scp from there to alioth that fails: the RSA keys
it tries for authentication are (obviously) those I have on gluck, none
of which is recognized on alioth. Moreover, it seems scp doesn't want to
perform keyboard-interactive authentication, maybe because the scp on
gluck is not directly run from gluck, but from the other scp on my
computer (florent)... Not sure about that. The fact is, I don't get any
password prompt.
>From there, the solutions are I think the following:
- use ForwardAgent to forward my ssh agent from florent to gluck, that
would allow the automatic connection from gluck to alioth when doing
the above scp command. But I don't like ForwardAgent for security
reasons[1], so this is not an option.
- create a password-less RSA key on gluck and put it in alioth's
authorized_keys file. This would create a similar security problem:
if my account on gluck were compromized, then the attacker could
trivially connect to alioth. So, this is not an option either.
As a consequence, I see no secure solution to make the previous scp
command work. :-/
I thus resorted to a more cumbersome method: I created a new RSA key on
gluck (*with* a password) and added it to alioth's authorized_keys file.
I could then ssh to gluck, load the ssh-agent, ssh-add that new key and
scp the files from gluck to alioth.
I guess this is just another illustration of "security and ease of use
don't go well together".
[1] Because if I enable this and gluck is compromized, then when I
connect to gluck, the attacker could connect to any machine that
my agent on florent allows connection to.
--
Florent
Reply to: