On Fri, Jun 08, 2018 at 11:29:35AM -0400, Laine Stump wrote:
On 06/08/2018 10:55 AM, Daniel P. Berrangé wrote:
Despite having StrictHostKeyChecking=no, SSH still complains about the host key mismatch and disables password auth as a result. Using /dev/null as the known_hosts file ensures the keys are never saved to the user's profile.
Interesting. I had thought that I had run on a machine that didn't have anything in its known_hosts file. Maybe I've done something to my cached test image that causes it to succeed?
I'm really confused because what's there ought to work according to my reading of it, but it seems even with the StrictHostKeyChecking=no, if you specifically have password auth, ssh will complain to avoid MITM stealing the password. So the known_hosts /dev/null big hammer just stops that.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Laine Stump <laine@laine.org>
(really what we should be doing for these tests is to connect to the guest's serial console, especially for no-ip-spoofing and no-mac-spoofing, since they actually make the guest unreachable for a short time. But what we have now works, so there's lots more important things to worry about...)
--- scripts/nwfilter/210-no-mac-spoofing.t | 3 ++- scripts/nwfilter/220-no-ip-spoofing.t | 3 ++- scripts/nwfilter/230-no-mac-broadcast.t | 3 ++- scripts/nwfilter/240-no-arp-spoofing.t | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index 99c5058..95b1499 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -97,7 +97,8 @@ diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", password => $tck->root_password(), - master_opts => [-o => "StrictHostKeyChecking=no"]); + master_opts => [-o => "UserKnownHostsFile=/dev/null", + -o => "StrictHostKeyChecking=off"]);
# now bring eth0 down, change MAC and bring it up again diag "fiddling with mac"; diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index 85c4807..a1da6eb 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -91,7 +91,8 @@ diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", password => $tck->root_password(), - master_opts => [-o => "StrictHostKeyChecking=no"]); + master_opts => [-o => "UserKnownHostsFile=/dev/null", + -o => "StrictHostKeyChecking=no"]);
# now bring eth0 down, change IP and bring it up again diag "preparing ip spoof"; diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index b65b3fc..4254e7c 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -119,7 +119,8 @@ diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", password => $tck->root_password(), - master_opts => [-o => "StrictHostKeyChecking=no"]); + master_opts => [-o => "UserKnownHostsFile=/dev/null", + -o => "StrictHostKeyChecking=no"]);
# now generate a mac broadcast paket diag "generate mac broadcast"; diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 69851b6..882a385 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -100,7 +100,8 @@ diag "ssh'ing into $guestip"; my $ssh = Net::OpenSSH->new($guestip, user => "root", password => $tck->root_password(), - master_opts => [-o => "StrictHostKeyChecking=no"]); + master_opts => [-o => "UserKnownHostsFile=/dev/null", + -o => "StrictHostKeyChecking=no"]);
# now generate a arp spoofing packets diag "generate arpspoof script";
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|