On Fri, Jun 08, 2018 at 11:29:35AM -0400, Laine Stump wrote:
On 06/08/2018 10:55 AM, Daniel P. Berrangé wrote:
> Despite having StrictHostKeyChecking=no, SSH still complains about the
> host key mismatch and disables password auth as a result. Using
> /dev/null as the known_hosts file ensures the keys are never saved to
> the user's profile.
Interesting. I had thought that I had run on a machine that didn't have
anything in its known_hosts file. Maybe I've done something to my cached
test image that causes it to succeed?
I'm really confused because what's there ought to work according to my
reading of it, but it seems even with the StrictHostKeyChecking=no,
if you specifically have password auth, ssh will complain to avoid MITM
stealing the password. So the known_hosts /dev/null big hammer just
stops that.
>
> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
Reviewed-by: Laine Stump <laine(a)laine.org>
(really what we should be doing for these tests is to connect to the
guest's serial console, especially for no-ip-spoofing and
no-mac-spoofing, since they actually make the guest unreachable for a
short time. But what we have now works, so there's lots more important
things to worry about...)
> ---
> scripts/nwfilter/210-no-mac-spoofing.t | 3 ++-
> scripts/nwfilter/220-no-ip-spoofing.t | 3 ++-
> scripts/nwfilter/230-no-mac-broadcast.t | 3 ++-
> scripts/nwfilter/240-no-arp-spoofing.t | 3 ++-
> 4 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/scripts/nwfilter/210-no-mac-spoofing.t
b/scripts/nwfilter/210-no-mac-spoofing.t
> index 99c5058..95b1499 100644
> --- a/scripts/nwfilter/210-no-mac-spoofing.t
> +++ b/scripts/nwfilter/210-no-mac-spoofing.t
> @@ -97,7 +97,8 @@ diag "ssh'ing into $guestip";
> my $ssh = Net::OpenSSH->new($guestip,
> user => "root",
> password => $tck->root_password(),
> - master_opts => [-o =>
"StrictHostKeyChecking=no"]);
> + master_opts => [-o =>
"UserKnownHostsFile=/dev/null",
> + -o =>
"StrictHostKeyChecking=off"]);
>
> # now bring eth0 down, change MAC and bring it up again
> diag "fiddling with mac";
> diff --git a/scripts/nwfilter/220-no-ip-spoofing.t
b/scripts/nwfilter/220-no-ip-spoofing.t
> index 85c4807..a1da6eb 100644
> --- a/scripts/nwfilter/220-no-ip-spoofing.t
> +++ b/scripts/nwfilter/220-no-ip-spoofing.t
> @@ -91,7 +91,8 @@ diag "ssh'ing into $guestip";
> my $ssh = Net::OpenSSH->new($guestip,
> user => "root",
> password => $tck->root_password(),
> - master_opts => [-o =>
"StrictHostKeyChecking=no"]);
> + master_opts => [-o =>
"UserKnownHostsFile=/dev/null",
> + -o =>
"StrictHostKeyChecking=no"]);
>
> # now bring eth0 down, change IP and bring it up again
> diag "preparing ip spoof";
> diff --git a/scripts/nwfilter/230-no-mac-broadcast.t
b/scripts/nwfilter/230-no-mac-broadcast.t
> index b65b3fc..4254e7c 100644
> --- a/scripts/nwfilter/230-no-mac-broadcast.t
> +++ b/scripts/nwfilter/230-no-mac-broadcast.t
> @@ -119,7 +119,8 @@ diag "ssh'ing into $guestip";
> my $ssh = Net::OpenSSH->new($guestip,
> user => "root",
> password => $tck->root_password(),
> - master_opts => [-o =>
"StrictHostKeyChecking=no"]);
> + master_opts => [-o =>
"UserKnownHostsFile=/dev/null",
> + -o =>
"StrictHostKeyChecking=no"]);
>
> # now generate a mac broadcast paket
> diag "generate mac broadcast";
> diff --git a/scripts/nwfilter/240-no-arp-spoofing.t
b/scripts/nwfilter/240-no-arp-spoofing.t
> index 69851b6..882a385 100644
> --- a/scripts/nwfilter/240-no-arp-spoofing.t
> +++ b/scripts/nwfilter/240-no-arp-spoofing.t
> @@ -100,7 +100,8 @@ diag "ssh'ing into $guestip";
> my $ssh = Net::OpenSSH->new($guestip,
> user => "root",
> password => $tck->root_password(),
> - master_opts => [-o =>
"StrictHostKeyChecking=no"]);
> + master_opts => [-o =>
"UserKnownHostsFile=/dev/null",
> + -o =>
"StrictHostKeyChecking=no"]);
>
> # now generate a arp spoofing packets
> diag "generate arpspoof script";
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|