SSH: sss_ssh_knownhosts must accept port numbers #7583
Conversation
aplopez
force-pushed
the
known-hosts
branch
from
8d4019c to
7899645
Compare
|
Shall not |
This is uncertain, because we are trying to do something that will work with an IPA feature that doesn't exist nowadays. However, my understanding is that IPA will continue identifying the hosts by their canonicalized hostname as it currently does, and all the keys (with and without a port) for that host will be returned. What is returned today as "the key" is the keytype and the key itself, while in the future the result will also include the hostname and port number (if it is not the default). But we still need to identify the host object in IPA by the host name without the port number. |
aplopez
force-pushed
the
known-hosts
branch
from
7899645 to
39d5113
Compare
How is 'port' used then? |
For the canonicalized name and to add it to the keys that don't include the host list (if Depending on how users start using these features in the future, we could also want to filter the retrieved keys to return only those that match the host and port that |
aplopez
force-pushed
the
known-hosts
branch
from
39d5113 to
d834673
Compare
|
I found an error in the PR. I will "block" it until it is fixed. |
aplopez
force-pushed
the
known-hosts
branch
from
d834673 to
9dd2880
Compare
aplopez
force-pushed
the
known-hosts
branch
2 times, most recently
from
7e59c37 to
fb15de9
Compare
|
@alexey-tikhonov |
src/util/sss_ssh.c
Outdated
| if (keyhost == NULL) { | ||
| /* Check if the host name part is included with the key. | ||
| * OpenSSH expects a linebreak after each key. */ | ||
| if (keyhost == NULL || sss_ssh_key_has_host_name(repr, needlehost)) { |
There was a problem hiding this comment.
(Not currently possible but) there is no guarantee that needlehost != NULL here.
Wouldn't it be possible to deduce needlehost from keyhost instead of new arg?
There was a problem hiding this comment.
Of course it can be done, but that means we need to call parse_ssh_host() again from this function, when it was already called from the caller function.
There was a problem hiding this comment.
I think it is overkill to call this function here when we already have the values.
If you feel uncomfortable about needlehost being NULL, I can add a check. Or just document it must not be NULL if keyhost is not NULL.
There was a problem hiding this comment.
I documented the behavior and added a simple check.
aplopez
force-pushed
the
known-hosts
branch
from
fb15de9 to
4461cfb
Compare
sss_ssh_knownhosts was only accepting a hostname or IP address, but no port number. Because token %H of ssh(1) could pass a port number, it must be accepted. The %H token can provide the hostname and port number in the following format: hostname canonical.host.name IP-address [hostname]:port [canonical.host.name]:port [IP-address]:port The port is specified only when a non-default port is used. Identifiers without the brackets are also recognized in case a user invokes the tool directly.
aplopez
force-pushed
the
known-hosts
branch
from
4461cfb to
18ffeb0
Compare
sss_ssh_knownhosts was only accepting a hostname or IP address, but no port number. Because token %H of ssh(1) could pass a port number, it must be accepted.
The %H token can provide the hostname and port number in the following formats:
hostname
canonical.host.name
IP-address
[hostname]:port
[canonical.host.name]:port
[IP-address]:port
The port is specified only when a non-default port is used.
Identifiers without the brackets are also recognized in case a user invokes the tool manually.
When the retrieved keys do not include the hostname, the hostname received as parameter will be added before the keytype to output a correctly formatted line. The hostname will be added unmodified or just the hostname (no port number), depending on whether the new -o,--only-host-name option was provided. This was done to handle the situation when a non-default port number is used and the keys don't include the hostname and port number.